View Issue Details

IDProjectCategoryView StatusLast Update
000801110000-004: ServicesSpecpublic2023-09-21 12:23
ReporterRandy Armstrong Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version1.05.03 
Summary0008011: Restrictions on DiagnosticInfo.AdditionalInfo with unauthenticated Clients
Description

Many servers return full stack traces in AdditionalInfo which is quite helpful for debugging connecting issues.

This information could be exploited by a malicious client.

The text for the AdditionalInfo should add a caveat that, by default, AdditionalInfo shall only be provided to authenticated Clients.

If Servers accept all valid Certificates (like a GDS) then the AdditionalInfo shall only be provided to Clients with access to a Role that grants them some level of administrative privileges.

Servers may also have a "debug mode" that is enabled in configuration that increases the detail in AdditionalInfo provided to authenticated and authenticated Clients to facilitate debugging of connection issues. The "debug mode" should never be left enabled once these issues are resolved.

Servers should also log the additional info even if it is not returned to the client because it does not have sufficient rights.

Text should make it clear that clients may not get AdditionalInfo even if they ask for it.

TagsNo tags attached.
Commit Version1.05.03
Fix Due Date

Relationships

related to 0008012 closedPaul Hunkar 10000-002: Security Restrictions on DiagnosticInfo.AdditionalInfo with unauthenticated Clients 
related to 0007947 closedRandy Armstrong 10000-006: Mappings Certificate Validation are missing details about the Reason in Error Message 

Activities

Matthias Damm

2023-03-20 05:22

developer   ~0018905

Added the following clarification:

AdditionalInfo shall only be provided to authenticated Clients. If the Server trusts all Clients, it shall limit AdditionalInfo to authenticated users.
AdditionalInfo can be logged but is not returned in these cases even if requested by the Client.

Jim Luth

2023-03-22 17:55

administrator   ~0018971

Agreed to changes edited in Dallas meeting.

Matthias Damm

2023-09-15 08:07

developer   ~0019991

The AdditionalInfo is not necessarily security sensitive, providing full stack traces in it is a problem of the
.Net SDK.

It makes no sense to generally prohibit the AdditionalInfo due to a implementation in a single
product, instead it should prohibit security sensitive information in the AdditionalInfo.

Matthias Damm

2023-09-20 08:21

developer   ~0020009

Removed additional sentence for additionalInfo.
Removed:
AdditionalInfo shall only be provided, if the application has been configured to run in a debug mode. Debug mode shall be turned off by default.

Added following sentence to overall description for DiagnosticInfo:
The DiagnosticInfo shall not contain any security related information.

Jim Luth

2023-09-21 12:23

administrator   ~0020040

Agreed to changes in F2F.

Issue History

Date Modified Username Field Change
2022-05-25 15:24 Randy Armstrong New Issue
2022-05-25 15:25 Randy Armstrong Issue cloned: 0008012
2022-05-25 15:26 Randy Armstrong Description Updated
2022-07-05 16:37 Jim Luth Assigned To => Matthias Damm
2022-07-05 16:37 Jim Luth Status new => assigned
2022-07-05 16:37 Jim Luth Relationship added related to 0008012
2023-03-20 05:22 Matthias Damm Status assigned => resolved
2023-03-20 05:22 Matthias Damm Resolution open => fixed
2023-03-20 05:22 Matthias Damm Fixed in Version => 1.05.03 RC1
2023-03-20 05:22 Matthias Damm Note Added: 0018905
2023-03-22 17:55 Jim Luth Relationship added related to 0007947
2023-03-22 17:55 Jim Luth Status resolved => closed
2023-03-22 17:55 Jim Luth Note Added: 0018971
2023-09-15 08:07 Matthias Damm Status closed => feedback
2023-09-15 08:07 Matthias Damm Resolution fixed => reopened
2023-09-15 08:07 Matthias Damm Note Added: 0019991
2023-09-20 08:21 Matthias Damm Status feedback => resolved
2023-09-20 08:21 Matthias Damm Resolution reopened => fixed
2023-09-20 08:21 Matthias Damm Fixed in Version 1.05.03 RC1 => 1.05.03
2023-09-20 08:21 Matthias Damm Note Added: 0020009
2023-09-21 12:23 Jim Luth Status resolved => closed
2023-09-21 12:23 Jim Luth Commit Version => 1.05.03
2023-09-21 12:23 Jim Luth Note Added: 0020040