My Oracle Support Banner

Source Code Comments In Base HTML/JSP Files Revealing Potentially Sensitive Information (Doc ID 2519631.1)

Last updated on DECEMBER 04, 2019

Applies to:

Oracle Utilities Customer Care and Billing - Version 2.3.1 and later
Information in this document applies to any platform.

Goal

On : 2.3.1 version, ENV - Environment

Source code comments in base HTML/JSP files revealing potentially sensitive information

The Security audit team has identified source code comments in base HTML/JSP files revealing potentially sensitive information.

Information giving full paths to internal resources should not be present on code comments on a production system.

The behavior is same for all base pages provided by Oracle as a part of CCB installation. Here is an example of the concerned potential risk.

The "billSegmentInfoPanel" page displays the source path in comments section in HTML view source. This has also been identified by the tool that checks for such potential threats.

Navigation to replicate:
Go to Main Menu - > Financial -> Bill Segment -> Search a BS ID
Now, Right click Bill Segment Info frame area in IE browser and click "view source". (See attached screenshot & debug log)

This will reveal the file path of XSL files and some other paths.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.