Source Code Comments In Base HTML/JSP Files Revealing Potentially Sensitive Information
(Doc ID 2519631.1)
Last updated on SEPTEMBER 27, 2022
Applies to:Oracle Utilities Customer Care and Billing - Version 2.1.0 to 2.3.1 [Release 2.1 to 2.3]
Oracle Utilities Framework - Version 2.1.0 to 4.1.0 [Release 2.1 to 4.1]
Information in this document applies to any platform.
On : 2.3.1 version, ENV - Environment
Source code comments in base HTML/JSP files revealing potentially sensitive information
The Security audit team has identified source code comments in base HTML/JSP files revealing potentially sensitive information.
Information giving full paths to internal resources should not be present on code comments on a production system.
The behavior is same for all base pages provided by Oracle as a part of CCB installation. Here is an example of the concerned potential risk.
The "billSegmentInfoPanel" page displays the source path in comments section in HTML view source. This has also been identified by the tool that checks for such potential threats.
Navigation to replicate:
Go to Main Menu - > Financial -> Bill Segment -> Search a BS ID
Now, Right click Bill Segment Info frame area in IE browser and click "view source". (See attached screenshot & debug log)
This will reveal the file path of XSL files and some other paths.
And then user should be able to just turn on STRIP_HTML_COMMENTS through the menu option.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document