Start a conversation
  1. Pivotal Support
  2. Pivotal Articles
  3. Articles

Mitigating Verbose Error Message Exposure in Pivotal UX Client

Overview

The Pivotal UX Client was found to expose verbose error messages containing sensitive internal details when malformed JSON or incomplete parameters are sent to specific API endpoints. This issue, identified during a penetration test, is a low-severity information disclosure vulnerability. The recommended solution is to update the web.config file to set AllowStackTraceInErrorResponse to false, preventing the display of verbose error details to end users.

Information

Error Message Identification: Verbose error messages containing stack traces, internal server paths, database queries, and component names are returned in HTTP 500 responses when malformed JSON or missing parameters are sent to the /api/user/login and /api/data endpoints.

Cause: The application is configured to return detailed error information in responses, which can be exploited to gain insights into the system's internals.

Resolution Steps:

  1. Update Configuration:
    • Locate the web.config file for the Pivotal UX Client at C:\Program Files (x86)\Aptean\Pivotal CRM\UX Client\www.
    • Ensure the setting AllowStackTraceInErrorResponse is set to false.
  2. Implement Generic Error Handling:
    • Configure a global error handler to return a generic error message (e.g., "An internal error has occurred") for all exceptions.
    • Ensure this handler covers all API endpoints, especially /api/user/login and /api/data.
  3. Restrict Error Details to Logging:
    • Configure the application to log detailed diagnostics and stack traces server-side only.
    • Adjust logging frameworks to prevent sensitive details from being included in API responses.
  4. Sanitize Error Responses:
    • Audit code for any direct output of exception messages or variable content in responses.
    • Replace such patterns with standardized, non-revealing messages.
  5. Retesting:
    • After implementing these changes, retest the affected endpoints with malformed requests to confirm that only generic error messages are presented to users.

Verification:

  • Confirm that verbose error details are no longer displayed in API responses.
  • Ensure that detailed error information is logged server-side for internal review.

Frequently Asked Questions

How do I know if verbose error messages are being exposed in my application?
You can identify this issue if HTTP 500 responses from your API endpoints contain detailed stack traces, internal server paths, or other sensitive information.
What configuration change is needed to prevent verbose error messages?
Update the web.config file to ensure AllowStackTraceInErrorResponse is set to false to prevent verbose error details from being displayed to end users.
What should I do if verbose error messages are still being displayed after configuration changes?
Ensure that the global error handler is correctly implemented and covers all API endpoints. Verify that logging frameworks are configured to suppress sensitive details in API responses.
Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments