[
https://issues.apache.org/jira/browse/JSPWIKI-83?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Holeczek closed JSPWIKI-83.
-----------------------------------
> Ounce Labs Security Finding: DOS - Readlines
> ---------------------------------------------
>
> Key: JSPWIKI-83
> URL: https://issues.apache.org/jira/browse/JSPWIKI-83
> Project: JSPWiki
> Issue Type: Bug
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Priority: Minor
> Attachments: report.pdf
>
>
> Description:
> The application contains a variety of different locations where unbound reads
> may theoretically expose the application to DOS attacks. If an attacker is
> capable of controlling whether the reads continue he may cause the DOS
> attack.
> Recommendation:
> Ensure that the reads are bound by a certain threshold to prevent DOS
> potentials.
> Related Code Locations:
> 11 findings:
> Name:
> com.ecyrd.jspwiki.diff.ExternalDiffProvider.colorizeDiff(java.lang.String):java.lang.String
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\diff\ExternalDiffProvider.java
> Line / Col: 165 / 0
> Context: in . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.providers.RCSFileProvider.getPageInfo(java.lang.String;int):com.ecyrd.jspwiki.WikiPage
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
> Line / Col: 148 / 0
> Context: stdout . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.SearchMatcher.matchPageContent(java.lang.String;java.lang.String):com.ecyrd.jspwiki.SearchResult
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\SearchMatcher.java
> Line / Col: 67 / 0
> Context: in . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.providers.RCSFileProvider.getVersionHistory(java.lang.String):java.util.List
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
> Line / Col: 471 / 0
> Context: stdout . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.providers.RCSFileProvider.getPageText(java.lang.String;int):java.lang.String
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
> Line / Col: 278 / 0
> Context: stderr . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.FileUtil.runSimpleCommand(java.lang.String;java.lang.String):java.lang.String
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\FileUtil.java
> Line / Col: 114 / 0
> Context: stderr . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.FileUtil.runSimpleCommand(java.lang.String;java.lang.String):java.lang.String
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\FileUtil.java
> Line / Col: 108 / 0
> Context: stdout . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.providers.RCSFileProvider.deleteVersion(java.lang.String;int):void
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
> Line / Col: 605 / 0
> Context: stderr . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.filters.SpamFilter.parseBlacklist(java.lang.String):java.util.Collection
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\filters\SpamFilter.java
> Line / Col: 224 / 0
> Context: in . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.providers.RCSFileProvider.getPageInfo(java.lang.String;int):com.ecyrd.jspwiki.WikiPage
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
> Line / Col: 212 / 0
> Context: stdout . java.io.BufferedReader.readLine ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.providers.RCSFileProvider.putPageText(com.ecyrd.jspwiki.WikiPage;java.lang.String):void
> Type: Vulnerability.AppDOS
> Severity: Low
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
> Line / Col: 394 / 0
> Context: error . java.io.BufferedReader.readLine ()
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
