Page MenuHomeVulnz

Error message reveals information about some internal data structure
VerifiedPublic

Description

Abstract

When passing specific parameters to a page which displays receipts, Giga shows an error message and prints out an array showing a list of fields, maybe detailing a database structure or some other sort of internal structure.

Reproduction steps

  1. Open http://www2.giga.ub.edu/acad/rebuts/erebut.php?NIUB=%20&NUCO=1 (it doesn't matter whether you have logged in).

Severity of the vulnerability

This is not a severe vulnerability, and I don't even think this could be considered as a security vulnerability alone, because it cannot be used to directly exploit the system in any way. Despite this, I think this would allow an attacker to have a better understanding of how the system works internally and it would make it easier for them to find other vulnerabilities.

What should be done?

The array printed should be removed from the page.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
Universitat de Barcelona
Product
GIGA
Reported
Mar 18 2019, 12:47 AM
Deadline
90

Event Timeline

avm99963 created this task.Mar 14 2019, 3:26 PM
avm99963 triaged this task as Priority-3 priority.
avm99963 updated the task description. (Show Details)Mar 14 2019, 3:40 PM
avm99963 set Reported to Mar 18 2019, 12:47 AM.Mar 18 2019, 12:52 AM
avm99963 closed this task as Verified.Mar 19 2019, 6:26 PM

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Mar 19 2019, 6:26 PM