Bug 58047 - System Information Leak
Summary: System Information Leak
Status: RESOLVED WORKSFORME
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-17 13:04 UTC by Donald
Modified: 2015-06-26 12:01 UTC (History)
0 users



Attachments
scan report (79.46 KB, application/pdf)
2015-06-17 13:04 UTC, Donald
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Donald 2015-06-17 13:04:15 UTC
Created attachment 32832 [details]
scan report

POI might reveal system data or debugging information which could help an adversary form a plan of attack. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks which are more difficult for an attacker to access.
Comment 1 Dominik Stadler 2015-06-26 12:01:11 UTC
Analysis: All instances reported in the report are reported as "low" and are about exception information being retrieved at some point and a OutputStream.write() call in a totally unrelated place, so it is unclear to me what the actual vulnerability is about here.

If you have a specific case where you think there is an actual vulnerability, please describe it, but I could only see false-positives here. 

Naturally security scanners report as much as possible to justify their costs, unfortunately this means that you most often need to wade through a bunch of useless reports to find out if there are actual things that should be fixed.