Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Improper Exception Handling

Description

Improper handling of errors can introduce a variety of security problems. The most common problem is when detailed internal error messages such as stack traces, database dumps, internal path and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. Here application disclosing some internal information and outdated .Net version used by the application Greenshot.

Environment

Vulnerability Name - Improper Exception Handling

Severity - Medium

Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, internal path and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed.

 

Description –

Improper handling of errors can introduce a variety of security problems. The most common problem is when detailed internal error messages such as stack traces, database dumps, internal path and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. Here application disclosing some internal information and outdated .Net version used by the application Greenshot.

Impact –

Error disclosures of applications help an attacker in getting specific information on the applications being used in the network. This would enable the attacker to concentrate more on the vulnerabilities of that application.

 

Steps to Reproduce-

When we are trying to access Greenshot application and application got stuck and throw below exception.

Also, application disclosing some internal information and outdated .Net version used by the application Greenshot.

Outdated .NET version used- .NET Version 4.0.30319.42000

For this outdated version CVE details are available please refer below link

Screenshot -

Recommendation-

Define generic error or custom error pages for ex 4XX, 5XX such that they give our minimum amount of information out in case of an error condition, Define custom error pages.

Attachments

2

Activity

Show:

Robin Krom 
February 2, 2022 at 10:23 AM

Thank you for posting this very generic way of handling exceptions, especially to point out to 4xx and 5xx errors, which are for web-based applications which Greenshot is not. Greenshot is completely open source, there is no reason not to disclose internal information, especially as doing so would prevent our users to report errors where we can do something with. We do not have logs on our side, so that would be a complete waste of our time.

About the “outdated version” of .NET, it runs on the .NET which you have installed, so gets all the security updates, 1.2 just doesn’t specifically targets a newer version, which is why you see the 4.0 mentioned. We’ve updated our requirements with 1.3

Closing this, as it doesn’t really help us further.

Won't Do

Details

Assignee

Reporter

Affects versions

Components

Priority

Labels

Time tracking

10m logged
Created February 2, 2022 at 10:04 AM
Updated February 2, 2022 at 10:23 AM
Resolved February 2, 2022 at 10:23 AM