JBoss 3.2.8.GA information disclosure vulnerability (NonManagedConnectionFactory.java)

One more example of bad logging function realisation in JBoss (value of variable pwd is placed in logfiles as a plaintext when SQLException appears):

088 public Connection getConnection()
089 {
......
099 catch (SQLException e)
100 {
101 reportAndRethrowError("Failed to get connection for url=" + url + ", user=" + usr + ", password=" + pwd, e);

where
pwd = config.getJdbcPassword();

Source: NonManagedConnectionFactory.java

Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: