Hi isomorphic,
We are using SmartGWT v2.4 {2011-06-30/PowerEdition Deployment (built 2011-06-30)
Our application, using smartgwt, is audited and reported issue of Information leakage which is a biggest security concern.
Issue:
When you include datasource with script tag like below if you do view source in mozilla firefox version 24 and chrome Version 36.0.1985.125 m, and click on the below script tag ,it prints whole schema which can give idea to hackers to exploit website.I have attached the file which contain below tag.
<script src="smartgwt/sc/DataSourceLoader?dataSource=login"></script>
Below gets printed when I did view source and clicked above tag.
isc.DataSource.create({
schema:"Temp",
tableName:"LOGIN",
ID:"login",
fields:[
{
name:"username",
primaryKey:true,
title:"username",
type:"text"
},
{
name:"password",
title:"password",
type:"text"
},
{
name:"published_date",
title:"published_date",
type:"date"
}
],
serverType:"sql"
})
Solution thought:
Changing the response returned through filter but application stopped working.
Help needed:
Can you suggest some solution or any article to resolve this issue? Can using smart
gwt4.1 version will resolve this issue? We are thinking to upgrade to resolve this issue.
Any help would be appreciated.
We are using SmartGWT v2.4 {2011-06-30/PowerEdition Deployment (built 2011-06-30)
Our application, using smartgwt, is audited and reported issue of Information leakage which is a biggest security concern.
Issue:
When you include datasource with script tag like below if you do view source in mozilla firefox version 24 and chrome Version 36.0.1985.125 m, and click on the below script tag ,it prints whole schema which can give idea to hackers to exploit website.I have attached the file which contain below tag.
<script src="smartgwt/sc/DataSourceLoader?dataSource=login"></script>
Below gets printed when I did view source and clicked above tag.
isc.DataSource.create({
schema:"Temp",
tableName:"LOGIN",
ID:"login",
fields:[
{
name:"username",
primaryKey:true,
title:"username",
type:"text"
},
{
name:"password",
title:"password",
type:"text"
},
{
name:"published_date",
title:"published_date",
type:"date"
}
],
serverType:"sql"
})
Solution thought:
Changing the response returned through filter but application stopped working.
Help needed:
Can you suggest some solution or any article to resolve this issue? Can using smart
gwt4.1 version will resolve this issue? We are thinking to upgrade to resolve this issue.
Any help would be appreciated.