Source Code Comments In Base HTML/JSP Files Revealing Potentially Sensitive Information
(Doc ID 2519631.1)
Last updated on DECEMBER 04, 2019
Applies to:
Oracle Utilities Customer Care and Billing - Version 2.3.1 and laterInformation in this document applies to any platform.
Goal
On : 2.3.1 version, ENV - Environment
Source code comments in base HTML/JSP files revealing potentially sensitive information
The Security audit team has identified source code comments in base HTML/JSP files revealing potentially sensitive information.
Information giving full paths to internal resources should not be present on code comments on a production system.
The behavior is same for all base pages provided by Oracle as a part of CCB installation. Here is an example of the concerned potential risk.
The "billSegmentInfoPanel" page displays the source path in comments section in HTML view source. This has also been identified by the tool that checks for such potential threats.
Navigation to replicate:
Go to Main Menu - > Financial -> Bill Segment -> Search a BS ID
Now, Right click Bill Segment Info frame area in IE browser and click "view source". (See attached screenshot & debug log)
This will reveal the file path of XSL files and some other paths.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| References |