Detailed server configuration in the error

Overview

The application reveals server details on visiting the below URL:

https://pentest24.eastus.cloudapp.azure.com/opennms/KSC/formProcReport.htm?action=Save&graph_index=-1&report_title=New+Report+Titledfdfdfdfdf&graphs_per_line=0

Any error message that contains more information than is necessary for users is verbose. Errors are inevitable, and there will always be an event that may be unexpected to an application or a server. The server may respond to this unexpected activity with a warning or an alert.

While these error messages can inform the user that an error has occurred, some error messages also contain information about the backend technology or framework in use. For example, a server responds with a ‘400 Bad Request’ error along with server name and version on the web application page. An attacker could use this information to research the target application or server, and plan more advanced attacks.

Many verbose error messages provide information about the software components, technology, or frameworks in use. They could also include database errors that hint at potential SQL Injection (SQLi) vectors, or, JavaScript errors that could indicate a Cross-Site Scripting (XSS) vulnerability. An attacker could also use verbose errors for Username Enumeration.

1.  

   1.  

      1. References

• [OWASP's Error Handling Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html)

• [OWASP's Page on Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling#)

• [CWE-209](https://cwe.mitre.org/data/definitions/209.html)

• [CWE-210](https://cwe.mitre.org/data/definitions/210.html)

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/KSC/formProcReport.htm?action=Save&graph_index=-1&report_title=New+Report+Titledfdfdfdfdf&graphs_per_line=0

Steps To Reproduce

Visit the below URL to see the server configuration details:

https://pentest24.eastus.cloudapp.azure.com/opennms/KSC/formProcReport.htm?action=Save&graph_index=-1&report_title=New+Report+Titledfdfdfdfdf&graphs_per_line=0


Severity

low

The attacker can use the disclosed information about the stack of the backend server and try to enumerate the version or technology being used followed by finding the vulnerabilities associated with that version/technology or an attacker may use error information provided by the server to launch another more focused attack.

Suggested Fix

• Use custom error messages or generic warnings that do not disclose any information about the application or server.

• Remove default web server pages.

• Perform proper error handling at the code level. Refer to error handling information in the references section.

• Avoid providing stack trace error messages.

• Implement a proper error handling policy so that all web applications have the same standards for error handling.

• Determine which information can be displayed to the user, and which information should be logged as a part of error handling.

Prerequisites

HTTP Request

GET /opennms/KSC/formProcReport.htm?action=Save&graph_index=-1&report_title=New+Report+Titledfdfdfdfdf&graphs_per_line=0 HTTP/1.1

Host: pentest24.eastus.cloudapp.azure.com
Cookie: JSESSIONID=node01dix2en79fbc613kdthb9ozsh586133.node0
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Priority: u=0, i
Connection: close

Cobalt URL

#PT22584_4