Malcolm

Debugger is leaking nformation to Unauthorised users

Discussion created by Malcolm on Nov 16, 2016
Latest reply on May 9, 2017 by TSGal

Environment

FMPA 15.0.1.119

Mac OS X 10.11.6

MacBook Pro (Retina, 15-inch, Mid 2015)

CPU 2.5 GHz Intel Core i7

RAM 16 GB 1600 MHz DDR3

 

Issue:

An unauthorised user should not be able to obtain any information from the debugger.

 

What actually happens:

The debugger reveals the call stack to an unauthorised user.

 

Workaround:

none.

 

To Reproduce:

Using FMPA, open the debugger and then run a script. In my testing I was attempting to view the login process. So, with the file closed I opened the debugger window. Then I opened the file.

 

In the first instance I tried to login using an account which was not in the file. The script debugger does not reveal anything to the user.

 

In the second instance I used a valid account which did not have full access privileges. When I do this the script debugger begins to leak information. I am able to see the names of the scripts being used in the file open sequence.

Attachments

Outcomes