Anyone know roughly how useful this debug information is to would-be attackers?
> com.ibm.websphere.servlet.error.ServletErrorReport: com.ibm.ws.jsp.JspCoreException: Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
>
> Caused by:
> com.ibm.ws.jsp.JspCoreException - Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
It looks to me like it's choking on some sort of deserialization, which could lead to execution of EL code.
I'm not in netsec, but this looks pretty damning to me. The fact that I was able to go from "I have no idea how I'd begin to hit this" to "hey I wonder if I can hammer on this particular interface and see if I can get it to pop" makes me think this reaaally not something you should be revealing, above and beyond the usual "don't show debug information to the outside world".
> com.ibm.websphere.servlet.error.ServletErrorReport: com.ibm.ws.jsp.JspCoreException: Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager > > Caused by: > com.ibm.ws.jsp.JspCoreException - Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
It looks to me like it's choking on some sort of deserialization, which could lead to execution of EL code.
https://issues.jboss.org/browse/RF-13977?_sscc=t
I'm not in netsec, but this looks pretty damning to me. The fact that I was able to go from "I have no idea how I'd begin to hit this" to "hey I wonder if I can hammer on this particular interface and see if I can get it to pop" makes me think this reaaally not something you should be revealing, above and beyond the usual "don't show debug information to the outside world".
https://www.equifax.com/cs7/faces/jspx/login.jspx