New Features 2017Project Type: software

New Features 2017

Uploaded image for project: 'New Features 2017'
  1. New Features 2017
  2. NF-5482

[Security] Login page : Server Error with stack trace displayed on login page.

    Details

    • Type: Bug
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      Pre Production
    • Bug Type:
      Functional
    • Bug Severity:
      Medium
    • Level:
      Admin, Employee, Partner
    • Module:
      BenAdmin - Security
    • Reported by:
      Harbinger
    • Company:
      All Clients/Multiple Clients
    • Item State:
      Development - On Hold
    • Mobile Platform :
      Web Service

      Description

      Environment: Pre-production

      Steps to Repro:

      1. Launch pre-prod using the link "https://preprod.workterra.net/Platform/Login/Login/"
      2. Try tampering this link by appending different combinations of number, special chars, words and hit enter.
      3. Verify that all combinations are handled and no stack trace displayed on the login page.

      Actual Result: The stack trace along with server error "Server Error in '/Platform' Application." is displayed on screen.
      Expected Result: After the link tampering actual application link "https://preprod.workterra.net/Platform/Login/Login/" should be redirected again.

      Combinations used for link tampering:-

      https://preprod.workterra.net/Platform/Login/Login/select * from employee
      https://preprod.workterra.net/Platform/Login/Login/select
      https://preprod.workterra.net/Platform/Login/Login/-1
      https://preprod.workterra.net/Platform/Login/Login/**
      https://preprod.workterra.net/Platform/Login/Login/1=1
      https://preprod.workterra.net/Platform/Login/Login/!!
      https://preprod.workterra.net/Platform/Login/Login/update

      There can be many combinations like this.

      Note: This has been verified on production link "https://www.workterra.net/Platform/Login/Login/" and no stack trace was displayed

      CC: Prasad Pise Samir Rakesh Roy Vijayendra Shinde Bharti Satpute

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          Hide
          Permalink
          anirudha.joshi anirudha joshi (Inactive) added a comment -

          This issue is also present on OE Dashboard page. tried to append below combinations to the OE Dashboard link and found that stack trace is displayed on screen.

          &&
          **
          Select *

          Below are the tempered links:

          https://preprod.workterra.net/Platform/Customization/Customization/OpenEnrollmentDashboard&&
          https://preprod.workterra.net/Platform/Customization/Customization/OpenEnrollmentDashboard**
          https://preprod.workterra.net/Platform/Customization/Customization/OpenEnrollmentDashboardSelect *

          Santosh Balid Vijayendra ShindePrasad PiseRakesh RoySamirBharti Satpute

          Show
          anirudha.joshi anirudha joshi (Inactive) added a comment - This issue is also present on OE Dashboard page. tried to append below combinations to the OE Dashboard link and found that stack trace is displayed on screen. && ** Select * Below are the tempered links: https://preprod.workterra.net/Platform/Customization/Customization/OpenEnrollmentDashboard&& https://preprod.workterra.net/Platform/Customization/Customization/OpenEnrollmentDashboard** https://preprod.workterra.net/Platform/Customization/Customization/OpenEnrollmentDashboardSelect * Santosh Balid Vijayendra Shinde Prasad Pise Rakesh Roy Samir Bharti Satpute
          Hide
          Permalink
          anirudha.joshi anirudha joshi (Inactive) added a comment -

          Found this issue on below pages also:-

          1. OE Dashboard
          2. User Credentials Settings
          3. Change employee Status
          4. Change employee password
          5. Dashboard configuration
          6. Get User Policies
          Show
          anirudha.joshi anirudha joshi (Inactive) added a comment - Found this issue on below pages also:- OE Dashboard User Credentials Settings Change employee Status Change employee password Dashboard configuration Get User Policies
          Hide
          Permalink
          santosh.balid Santosh Balid (Inactive) added a comment -

          Please plan it in future sprints.

          Cc : Satya, Jaideep Vinchurkar, Bharti Satpute

          Show
          santosh.balid Santosh Balid (Inactive) added a comment - Please plan it in future sprints. Cc : Satya , Jaideep Vinchurkar , Bharti Satpute

            People

            Assignee:
            gaurav.sodani Gaurav Sodani (Inactive)
            Reporter:
            anirudha.joshi anirudha joshi (Inactive)
            QA:
            anirudha joshi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: