Monthly Archives: January 2012

JBoss 3.2.8.GA information disclosure vulnerability (NonManagedConnectionFactory.java)

One more example of bad logging function realisation in JBoss (value of variable pwd is placed in logfiles as a plaintext when SQLException appears):

088 public Connection getConnection()
089 {
......
099 catch (SQLException e)
100 {
101 reportAndRethrowError("Failed to get connection for url=" + url + ", user=" + usr + ", password=" + pwd, e);

where
pwd = config.getJdbcPassword();

Source: NonManagedConnectionFactory.java

Advertisements
Tagged , ,