#30 Potential security risk when using JADE web applications

Technical and operational updates for all users of JADE, including Jade Source Bulletins
User avatar
Jade Support
Posts: 98
Joined: Mon Aug 17, 2009 10:27 am
Location: Jade Software Corporation, Christchurch

#30 Potential security risk when using JADE web applications

Postby Jade Support » Mon Mar 02, 2015 8:04 pm

Potential security risk when using JADE web-enabled applications

Exposure of sensitive information such as user credentials can occur if diagnostic logging is enabled on servers for web enabled applications. This relates to JADE web forms applications, HTML document applications and web service provider applications.

The nature of diagnostic logs is that all traffic to and from the service is logged in clear text to a file on disk.

Anyone with access to this file can gain access to potentially sensitive information such as passwords.

This logging is not enabled by default, and it is strongly recommended that it is only enabled on an as required basis.

Recommended actions
  • Review access controls to the log files which are generated and ensure file system permissions met organisational security requirements.

  • Ensure that logging is disabled by setting the following in the jadehttp.ini file:

    Code: Select all

    [Jadehttp Logging]
    trace=false

  • Ensure that logging is disabled by setting the following in the web application configuration XML file:

    Code: Select all

    disable_logging=true
    log_file_name=

    Note: the log_file_name should be blank or the setting should not exist.


  • Ensure that logging is disabled by setting the following in the JADE initialisation files:

    Code: Select all

    [WebOptions]
    DisableLogging=true
    LogFileName=

    Note: the LogFileName should be blank or the setting should not exist.

  • Review application code to determine whether application logging meets organisational security requirements.

  • Review and disable third party logging (e.g. on IIS or Apache web-servers).

More information on the use of Web Services in JADE is available in the following White Papers:
Web Services White Paper
Web Services Tips and Techniques White Paper
Web Services Security White Paper

If you have any questions or concerns about this, please contact your account manager or Jade Support for further assistance.
Last edited by Jade Support on Mon Mar 23, 2015 3:36 pm, edited 1 time in total.
Reason: Add bulletin number to title.
Jade Support
Jade Software Corporation Ltd

Email: jadesupport@jadeworld.com
Web: http://www.jadeworld.com

Jade Software – complex business problems solved beautifully.

Return to “Jade Support Bulletins”

Who is online

Users browsing this forum: No registered users and 1 guest

cron