Security concerns with Identity Server error messages on browser reproting stack dump

  • 7012495
  • 28-May-2013
  • 28-May-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager 3.2 ACcess Gateway

Situation

Whenever the IDP server reports a 500 internal error due to an invalid input, the stack dump of the reason for failure is included in the response and visible on the browser. Unethical users can use this information to build additional attacks against the IDP/ESP.

For example, if I add "%2b" at end of argument of IssueInstant (IssueInstant Spoofing) of the following URL, a 500 Internal Server Error will be reported.
https://nam32phys.lab.novell.com:8443/nidp/idff/sso?RequestID=idPqXJz1evhjwWlW2PRS6yVRJWBD0&MajorVersion=1&MinorVersion=2&IssueInstant=2013-05-15T11%3A32%3A22Z%2B&ProviderID=https%3A%2F%2Fnam32app-vm.lab.novell.com%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=https%3A%2F%2Fnam32app-vm.lab.novell.com%2Fformfill%2Fphpinfo.php&AuthnContextStatementRef=secure%2Fname%2Fpassword%2Furi

Looking at the contents of the response, we include the stack dump
java.lang.StringIndexOutOfBoundsException: String index out of range: 23 java.lang.String.substring(String.java:1934) com.novell.nidp.common.xml.w3c.XMLDateTime.xmlDecodeTimeDateString(y:1116) com.novell.nidp.saml.core.protocol.SAMLPAbsRequest.<init>(y:3110)
com.novell.nidp.saml.core.protocol.SAMLPRequest.<init>(y:966)
com.novell.nidp.liberty.idff.protocol.LibertyRequest.<init>(y:1817)
com.novell.nidp.liberty.idff.protocol.LibertyAuthnRequest.<init>(y:1482) com.novell.nidp.liberty.idff.profile.LibertySSOProfile.getRequest(y:2286) com.novell.nidp.liberty.idff.profile.LibertyProfile.handledInBoundRequest(y:3044) com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processSSOEndpoint(y:2238) com.novell.nidp.liberty.IDFFHandler.E(y:642)
com.novell.nidp.liberty.IDFFHandler.handleRequest(y:1524) com.novell.nidp.liberty.LibertyMeDescriptor.handleRequest(y:2838)
com.novell.nidp.servlets.NIDPServlet.myDoGet(y:2840)
com.novell.nidp.servlets.NIDPBaseServlet.doGet(y:1954)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722) com.novell.emframe.fw.filter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:25)

The Identity Server should not be giving any hints as to why the failure occured to the user-agent.

Resolution

Modify the Identity Server web.xml file webapp web.xml (/opt/novell/nids/lib/webapp/WEB-INF/web.xml) and include the following statement so that the IDP server will not give any hint to user/browser.

<welcome-file-list>
<welcome-file>index.html</welcome-file>
 </welcome-file-list>

<error-page>
 <error-code>500</error-code>
<location>/index.html</location>
 </error-page>

The index.html can be any custom page too.

This can also be configured for the 404 error-code too by adding one more <error-page> tag with 404 in it.