Last post Aug 10, 2014 01:13 PM by holdorfs
Aug 10, 2014 10:01 AM|holdorfs|LINK
I have been trying to find a code repair for a Web Inspect HP Fortify report class II finding. I have a case where the IA error, Information disclosure vulnerability has been caused by poor error handling. The application runs fine; however, this problem
is found in the low level code and reported. Every thing I have found on the internet only talks about errors that cause the application to throw high level exceptions that cause the application to crash and not one that goes deep enough to find code solutions
at the code level for IA errors that don't crash the application. If anyone knows of a actual code solution that would be great.
Aug 10, 2014 12:19 PM|PatriceSc|LINK
"IA" that is ? For now I don't see what are "IA errors that don't crash the application". You, I and likely anyone first need to understand exactly what is the error before being able to fix it. I'm no sure how Fortify can find this. Could it be something
like showing a password or whatever on the site ?
Aug 10, 2014 01:13 PM|holdorfs|LINK
Thanks for your first reply. In your reply to the initial error question on the Security forums you mentioned that I try to great more information from the developers. Please understand that I am the only developer assigned to fix this problem and have been searching
the internet for over two days trying to find information about this. On my team no other developers have any experience with these issues. I am new to security issues and don't have a clue about what I should do to fix the problem. One response had me create
an application diagnostic page but that was only for bugs that crashed an ASP .NET application. Then I added the global exception Handler Application_Error in global.asax file with still nothing specific showing up. I looked at this forum and saw actual code
changes for exceptions and was hoping that someone might have ran into the issue on the developer's side of the house. I guess at this point I need help because nothing I have tried or found on the internet indicated what specifically causes these problems
and what code fixes people have used. You have seen me go from the Information Assurance personnel side of the house and now I am trying to see if any developers have found an answer. Do you believe that I was wrong for posting my question here? If you do
I will delete it.