Support #7482

[SCP ID :##3869##] : Information Leakage and Improper Error Handling

Added by Zahir Abd Latif over 7 years ago. Updated over 7 years ago.

Status:Closed - End of life cycleStart date:May 30, 2017
Priority:HighDue date:May 31, 2017
Assignee:Zahir Abd Latif% Done:

100%

Category:-Spent time:1.00 hour
Target version:-

Description

Hi,
Kindly attend below request:

1. From Pentest, it is discovered that https://ecustody.maybank.co.id unintentionally generated an error message that includes sensitive information about its environment.
2. Way to reproduce:
1) https://ecustody.maybank.co.id/bii_custody_main/ib101/ibLogin.do
post data : org.apache.struts.taglib.html.TOKEN=2807db4a4565d63293f1e1fd9e67fa90&userName=admin&password=Zaq1%40wsx123&companyId=abc123&authMode=S&otp=&action=Login
3. Error message is attached.
4. Mitigation Action required:
- Ensure that the entire software development team shares a common approach to exception handling.
- Disable or limit detailed error handling. In particular, do not display debug information to end users, stack traces, or path information.
- Ensure that secure paths that have multiple outcomes return similar or identical error messages in roughly the same time. If this is not possible, consider imposing a random wait time for all transactions to hide this detail from the attacker.
- Various layers may return fatal or exceptional results, such as the database layer, the underlying web server (IIS, Apache, etc). It is vital that errors from all these layers are adequately checked and configured to prevent error messages from being exploited by intruders.
- Be aware that common frameworks return different HTTP error codes depending on if the error is within your custom code or within the framework’s code. It is worthwhile creating a default error handler which returns an appropriately sanitized error message for most users in production for all error paths.
- Overriding - Although security through obscurity, choosing to override the default error handler so that it always returns "200" (OK) error screens reduces the ability of automated scanning tools from determining if a serious error occurred. While this is "security through obscurity," it can provide an extra layer of defense.

5. Please fix this problem within 1 month as this ciritcal vulnerability is monitored closely by KL Security team.

error_message_ecustody.png (50.9 KB) Zahir Abd Latif, May 30, 2017 11:48

History

#1 Avatar?id=2607&size=24 Updated by Rayvandy Gabbytian over 7 years ago

  • Due date set to May 31, 2017
  • Status changed from New - Begin Life Cycle to Pending Customer Feedback
  • Assignee changed from Rayvandy Gabbytian to Zahir Abd Latif

Dear Zahir,

I have replied the email to Pak Stefanus on 30th May 2017 requesting to open connection to development:

Dear Pak Stefanus,

As spoken earlier, we will assess the effort for this issue fixing (man/day utilization) and get back to you as soon.
Meanwhile, kindly need your team help to open access from my laptop to ecustody and cas related server for the purpose of replicating the issue, fixing and internal testing.
Previously, we can access ecustody and CAS remote desktop via VPN. However, our VPN access has expired and already request to renew since 21 March 2017, until now, it is still pending for bank’s internal approval.
...
Thank you.

On 31st May 2017 I have sent Pak Stefanus the effort breakdown for this fixing (together with support ID 3869) as well, so far no reply

Dear Pak Stefanus,

Attached is the number of effort will be spent and deducted from the existing 20 man-days eCustody AMC. Need your review before we deliver the patch.

Also, below is the detailed investigation in regards to this case ID:

Pentest Finding:
From Pentest, it is discovered that https://ecustody.maybank.co.id unintentionally generated an error message that includes sensitive information about its environment.

Additional info:
The exception error can only be shown if user / attacker open the browser using Web Inspector (Safari) / Web Developer (Firefox) / Developer (Chrome) / Postman or similar tools. It, however, does not show in user front end.
Screen Shot 2017-05-31 at 19.15.17.jpeg

Solution:
- Remove unnecessary exception message inside JSPs,
- Provide general error. Currently it already shows as below:

Error while performing your request
Service is currently unavailable.
Please try again later.
Reject Code [9999].

Impact Analysis:
- Several low impacts to pages that handles error message,
- No financial / transactional modules are affected.

Thank you.

Thanks.

#2 Updated by Zahir Abd Latif over 7 years ago

  • Status changed from Pending Customer Feedback to Closed - End of life cycle
  • % Done changed from 0 to 100

Issue closed in SCP.

Also available in: Atom PDF