[WT-10524] [Security] [ZAP-Active Scan Alert] Format String Error reported for LanguageName parameter. - Workterra Jira

Details

Type: Bug
Status: Rejected
Priority: Medium
Resolution: Cancelled
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Environment:

Stage
Bug Type:
Functional
Bug Severity:
Medium
Level:

Employee
Module:
Platform - Security
Reported by:
Harbinger
Item State:
Development - On Hold

Description

[Security] [ZAP-Active Scan Alert] Format String Error reported for LanguageName parameter.

Description
A Format String error occurs when the submitted data of an input string is evaluated as a command by the application.

URL : https://stage.workterra.net/Platform/

Method : POST

Parameter :
LanguageName

Attack :
ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s

Solution :
Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable.

Other information :
Potential Format String Error. The script closed the connection on a /%s

Please refer attached HTML report for more details.

CC : Rakesh Roy Sachin Hingole Hrishikesh Deshpande Samir Vijayendra Shinde Vijay Siddha Bharti Satpute Gaurav Sodani Nidhi Kaul

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Employee_ActiveScan_Stage_9Aug2017.html
24 kB
09/Aug/17 11:35 AM

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

Prasad Pise (Inactive) created issue - 09/Aug/17 11:35 AM

Prasad Pise (Inactive) made changes - 09/Aug/17 11:37 AM

Field	Original Value	New Value
Link		This issue relates to NF-2714 [ NF-2714 ]

Satya made changes - 07/Sep/17 12:09 PM

Assignee

Satya [ ID10004 ]

Jaideep Vinchurkar [ jaideep.vinchurkar ]

Jaideep Vinchurkar (Inactive) made changes - 08/Sep/17 11:42 AM

Assignee

Jaideep Vinchurkar [ jaideep.vinchurkar ]

Akash Thakur [ akash.thakur ]

Gaurav Sodani (Inactive) made changes - 08/Sep/17 06:49 PM

Sprint

WT Sprint 37 - Bugs [ 87 ]

Jaideep Vinchurkar (Inactive) made changes - 12/Sep/17 11:44 AM

Dev Due Date

21/Sep/2017

Permalink

Akash Thakur (Inactive) logged work - 14/Sep/17 10:28 AM

Time Spent:

2h

Analysis of zap active scan vulnerability reported for parameter

Akash Thakur (Inactive) made changes - 15/Sep/17 10:28 AM

Remaining Estimate	2h [ 7200 ]	6h [ 21600 ]
Original Estimate	2h [ 7200 ]	6h [ 21600 ]

Permalink

Akash Thakur (Inactive) logged work - 15/Sep/17 10:29 AM

Time Spent:

4h

debugging and trying workaround for format error string issue reported by zap.

Akash Thakur (Inactive) made changes - 15/Sep/17 10:29 AM

Remaining Estimate	6h [ 21600 ]	4h [ 14400 ]
Time Spent		2h [ 7200 ]
Worklog Id		78949 [ 78949 ]

Akash Thakur (Inactive) made changes - 15/Sep/17 10:30 AM

Remaining Estimate	4h [ 14400 ]	0h [ 0 ]
Time Spent	2h [ 7200 ]	6h [ 21600 ]
Worklog Id		78950 [ 78950 ]

Gaurav Sodani (Inactive) made changes - 21/Sep/17 10:35 AM

Item State

Parent values: Development(10200)Level 1 values: In Analysis(10204)

Jaideep Vinchurkar (Inactive) made changes - 22/Sep/17 09:30 AM

Item State

Parent values: Development(10200)Level 1 values: In Analysis(10204)

Parent values: Development(10200)Level 1 values: On Hold(10207)

Jaideep Vinchurkar (Inactive) made changes - 22/Sep/17 09:30 AM

Dev Due Date

21/Sep/2017

Hide

Permalink

Jaideep Vinchurkar (Inactive) added a comment - 22/Sep/17 09:31 AM

Keeping on hold because of low bandwidth

Show

Jaideep Vinchurkar (Inactive) added a comment - 22/Sep/17 09:31 AM Keeping on hold because of low bandwidth

Gaurav Sodani (Inactive) made changes - 25/Sep/17 06:32 AM

Sprint

WT Sprint 37 - Bugs [ 87 ]

Satya made changes - 04/Nov/17 06:31 AM

Environment_New

Stage [ 18443 ]

Permalink

Akash Thakur (Inactive) logged work - 21/Nov/17 10:49 AM

Time Spent:

4h

Analysis & solution scope

Akash Thakur (Inactive) made changes - 22/Nov/17 10:49 AM

Time Spent	6h [ 21600 ]	10h [ 36000 ]
Worklog Id		92072 [ 92072 ]

Permalink

Akash Thakur (Inactive) logged work - 23/Nov/17 06:20 AM

Time Spent:

3h

<No comment>

Akash Thakur (Inactive) made changes - 23/Nov/17 06:20 AM

Time Spent	10h [ 36000 ]	13h [ 46800 ]
Worklog Id		92289 [ 92289 ]

Jaideep Vinchurkar (Inactive) made changes - 06/Dec/17 06:00 AM

Assignee

Akash Thakur [ akash.thakur ]

Santosh Balid [ santosh.balid ]

Hide

Permalink

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:28 PM

Please plan it in future sprints.

Cc : Satya, Jaideep Vinchurkar, Bharti Satpute

Show

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:28 PM Please plan it in future sprints. Cc : Satya , Jaideep Vinchurkar , Bharti Satpute

Santosh Balid (Inactive) made changes - 16/Jan/18 01:28 PM

Assignee

Santosh Balid [ santosh.balid ]

Gaurav Sodani [ gaurav.sodani ]

Vijayendra Shinde (Inactive) made changes - 04/Apr/18 05:39 AM

Assignee

Gaurav Sodani [ gaurav.sodani ]

Prasad Pise [ prasadp ]

Prashant Samal (Inactive) made changes - 04/Jul/18 12:23 AM

Status

Open [ 1 ]

In Development [ 10007 ]

Prashant Samal (Inactive) made changes - 04/Jul/18 12:24 AM

Resolution		Cancelled [ 10300 ]
Status	In Development [ 10007 ]	Rejected [ 10004 ]

Vijayendra Shinde (Inactive) made changes - 15/Dec/20 02:53 AM

Link

This issue relates to DEV-13718 [ DEV-13718 ]

Transition	Time In Source Status	Execution Times

Prashant Samal (Inactive) made transition - 04/Jul/18 12:23 AM

Open

In Development

328d 12h 48m

Prashant Samal (Inactive) made transition - 04/Jul/18 12:24 AM

In Development

Rejected

People

Assignee:: Prasad Pise (Inactive)

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 09/Aug/17 11:35 AM

Updated:: 15/Dec/20 02:53 AM

Resolved:: 04/Jul/18 12:24 AM

Time Tracking

Estimated:

Remaining:

Logged:

13h