Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Security vulnerability with 500 responses in 6.3sp1

SA-63

Summary



Server error 500 response detected. A server error response was detected. While error responses in and of themselves are not dangerous, per se, the error responses give attackers insight into how the application handles error conditions. Error reports must provide generic response messages that don't reveal information that hackers can use.

HTTP/1.1 500 Internal Server Error

Error Messages



HTTP/1.1 500 Internal Server Error

Steps to Reproduce



Not Applicable 

Root Cause



The root cause of this problem is a defect in Pegasystems’ code/rules. The error messages returned should utilize generic error pages and error handling logic to inform end users of potential problems.  They should not provide system information or other data that could be utilized by an attacher when orchestrating an attack.

Resolution



This issue is resolved through the following local change: 

These are the steps that you should follow to always return a generic message instead of "500 internal error" messages.  

Please find the following information to 1) remove the comments in XML and make the result consistent between browsers, and 2) to allow you to customize the content of the messages to be returned to the user: 

1) In the web.xml file, there is a setting that allows you to define a Custom Status Screen: 
<servlet> 
<servlet-name>WebStandard</servlet-name> 
<display-name>WebStandard</display-name> 
<description>Starting standard interface to PegaRULES, using internal authentication</description> 
<servlet-class>com.pega.pegarules.internal.web.servlet.WebStandardBoot</servlet-class> 
<init-param> 
<param-name>PegaEtierClass</param-name> 
<!-- COMPONENTS: This was previously com.pega.pegarules.services.HttpAPI --> 
<param-value>com.pega.pegarules.session.internal.engineinterface.service.HttpAPI</param-value> 
</init-param> 
<!-- Basic PegaRULES Authentication is the default 
<init-param> 
<param-name>AuthenticationType</param-name> 
<param-value>PRBasic</param-value> 
</init-param> 
--> 
<!-- Customize Status Screen: This is assignable per-servlet, value below is the default --> 
<init-param> 
<param-name>StatusPage</param-name> 
<param-value>/diagnostic/status.jsp</param-value> 
</init-param> 

</servlet> 


2) For further customizing the error screen contents, you can modify two jsp documents which get installed (they are contained within prweb.war), into the deployed application tree under: 

/prweb/diagnostic/error.jsp 

/prweb/diagnostic/status.jsp 

You will still need to utilize the DisplayExceptionTraceback switch in order not display or write to the clipboard the traceback details. 

<env name = "initialization/DisplayExceptionTraceback" value="false"/> 

These two jsp pages can be modified to reflect whatever you would like to display. There is currently no documentation available that describes how to customize said files, and any such modifications may need to be revisited following product upgrades (as the files will be replaced). 
 

Tags:

Pega Platform Pega Platform 6.3 SP1 Security

Published February 17, 2016 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve?
Suggest an edit
Report a Pega Community bug

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice