...
| Wiki Markup |
|---|
This rule applies to server-side applications as well as to clients. Attackers can glean sensitive information not only from vulnerable web servers but also from victims who use vulnerable web browsers. In 2004, Schönefeld discovered an exploit for the Opera v7.54 web browser in which an attacker could use the {{sun.security.krb5.Credentials}} class in an applet as an oracle to "retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown {{java.security.AccessControlException}}" \[[Schönefeld 2004|AA. Bibliography#SchoenefeldReferences#Schoenefeld 04]\]. |
All exceptions reveal information that can assist an attacker's efforts to carry out a denial of service (DoS) against the system. Consequently, programs must filter both exception messages and exception types that can propagate across trust boundaries. The following table lists several problematic exceptions:
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5ec255d78ee70891-af365fbd-4cfa4e5b-9d5db2c1-0ea1f5c6587d189d51d1c673"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong References#Gong 03]] | 9.1, Security Exceptions | ]]></ac:plain-text-body></ac:structured-macro> |
...