Exposure of sensitive information such as user credentials can occur if diagnostic logging is enabled on servers for web enabled applications. This relates to JADE web forms applications, HTML document applications and web service provider applications.
The nature of diagnostic logs is that all traffic to and from the service is logged in clear text to a file on disk.
Anyone with access to this file can gain access to potentially sensitive information such as passwords.
This logging is not enabled by default, and it is strongly recommended that it is only enabled on an as required basis.
Recommended actions
- Review access controls to the log files which are generated and ensure file system permissions met organisational security requirements.
- Ensure that logging is disabled by setting the following in the jadehttp.ini file:
Code: Select all
[Jadehttp Logging] trace=false
- Ensure that logging is disabled by setting the following in the web application configuration XML file:
Note: the log_file_name should be blank or the setting should not exist.
Code: Select all
disable_logging=true log_file_name=
- Ensure that logging is disabled by setting the following in the JADE initialisation files:
Note: the LogFileName should be blank or the setting should not exist.
Code: Select all
[WebOptions] DisableLogging=true LogFileName=
- Review application code to determine whether application logging meets organisational security requirements.
- Review and disable third party logging (e.g. on IIS or Apache web-servers).
Web Services White Paper
Web Services Tips and Techniques White Paper
Web Services Security White Paper
If you have any questions or concerns about this, please contact your account manager or Jade Support for further assistance.