My Oracle Support Banner

Source Code Comments In Base HTML/JSP Files Revealing Potentially Sensitive Information (Doc ID 2519631.1)

Last updated on MAY 31, 2024

Applies to:

Oracle Utilities Customer Care and Billing - Version 2.1.0 to 2.3.1 [Release 2.1 to 2.3]
Oracle Utilities Framework - Version 2.1.0 to 4.1.0 [Release 2.1 to 4.1]
Information in this document applies to any platform.

Goal

On : 2.3.1 version, ENV - Environment

Source code comments in base HTML/JSP files revealing potentially sensitive information

The Security audit team has identified source code comments in base HTML/JSP files revealing potentially sensitive information.

Information giving full paths to internal resources should not be present on code comments on a production system.

The behavior is same for all base pages provided by Oracle as a part of CCB installation. Here is an example of the concerned potential risk.

The "billSegmentInfoPanel" page displays the source path in comments section in HTML view source. This has also been identified by the tool that checks for such potential threats.

Navigation to replicate:
Go to Main Menu - > Financial -> Bill Segment -> Search a BS ID
Now, Right click Bill Segment Info frame area in IE browser and click "view source". (See attached screenshot & debug log)

This will reveal the file path of XSL files and some other paths.

 

Install the below bug fix patch STRIP HTML/JAVASCRIPT COMMENTS VIA SERVLETFILTER.

And then user should be able to just turn on STRIP_HTML_COMMENTS through the menu option.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.