Forums

Potential security risk when using JADE web-enabled applications

Exposure of sensitive information such as user credentials can occur if diagnostic logging is enabled on servers for web enabled applications. This relates to JADE web forms applications, HTML document applications and web service provider applications.

The nature of diagnostic logs is that all traffic to and from the service is logged in clear text to a file on disk.

Anyone with access to this file can gain access to potentially sensitive information such as passwords.

This logging is not enabled by default, and it is strongly recommended that it is only enabled on an as required basis.

Recommended actions

• Review access controls to the log files which are generated and ensure file system permissions met organisational security requirements.

• Ensure that logging is disabled by setting the following in the jadehttp.ini file:

  Code: Select all

  [Jadehttp Logging] trace=false

• Ensure that logging is disabled by setting the following in the web application configuration XML file:

  Code: Select all

  disable_logging=true log_file_name=
  Note: the log_file_name should be blank or the setting should not exist.

• Ensure that logging is disabled by setting the following in the JADE initialisation files:

  Code: Select all

  [WebOptions] DisableLogging=true LogFileName=
  Note: the LogFileName should be blank or the setting should not exist.

• Review application code to determine whether application logging meets organisational security requirements.

• Review and disable third party logging (e.g. on IIS or Apache web-servers).

More information on the use of Web Services in JADE is available in the following White Papers:
Web Services White Paper
Web Services Tips and Techniques White Paper
Web Services Security White Paper

If you have any questions or concerns about this, please contact your account manager or Jade Support for further assistance.