Application Error Disclosure

[holly]

Details of some of our error messages are being exposed publically which could potentially allow hackers to have insight into the location of flies on our site. Has this bug been identified? (I could not find anything on the search). It seems to be most common in Chrome. Also, we are not on the most current version of CKEditor. Would upgrading resolve this issue?

[holly]

Just one other note. If it helps, we are getting ready for Salesforce Security Review and this error was identified by the Zap scanner recommended by Salesforce.

[Jakub Ś]

Details of some of our error messages are being exposed publically which could potentially allow hackers to have insight into the location of flies on our site.

Could you explain in more detail (also provide some screen-shot) what errors and details you talk about? If you mean some exception being thrown in e.g. Firebug then we don't have influence on what it shows. Code is minimized but such tool can always show path to it (especially if that file is available in browser).

[Wiktor Walc]

First of all, please do not report security issues on the public bug tracker (if you believe you found any), use the ​contact form instead and provide as many details as possible regarding the issue you are trying to report.

Keep in mind that when you try out applications like CKEditor or CKFinder you should setup a local web server and access them through some domain, you should not load them directly from local file system (using file:// in the address bar) because this is not the way how the application will be used in a production environment.