Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Possible security risk (Jedi unit used in Intraweb)



Permlink Replies: 2 - Last Post: Feb 8, 2018 1:02 AM Last Post By: Arthur Hoornweg Threads: [ Previous | Next ]
Arthur Hoornweg

Posts: 414
Registered: 6/2/98
Possible security risk (Jedi unit used in Intraweb)
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 7, 2018 4:05 AM
Hello all,

I've noticed that Intraweb uses a unit from the Jedi code library (IWJCLStringConversions) that contains a (IMHO) non-secure UTF8 decoding algorithm (UTF8GetNextChar etc).
This decoder doesn't filter out illegal unicode code points as required by RFC3629 (from 2003!) and even decodes overlong 5- and 6 byte sequences.
See https://en.wikipedia.org/wiki/UTF-8 and https://tools.ietf.org/html/rfc3629 for more details.


Disclaimer: I haven't checked if these routines are actually being used by Intraweb.

Kind regards,
Arthur

Alexandre Machado

Posts: 1,754
Registered: 8/10/13
Re: Possible security risk (Jedi unit used in Intraweb)
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 7, 2018 7:55 PM   in response to: Arthur Hoornweg in response to: Arthur Hoornweg
Arthur Hoornweg wrote:
Hello all,

I've noticed that Intraweb uses a unit from the Jedi code library (IWJCLStringConversions) that contains a (IMHO) non-secure UTF8 decoding algorithm (UTF8GetNextChar etc).
This decoder doesn't filter out illegal unicode code points as required by RFC3629 (from 2003!) and even decodes overlong 5- and 6 byte sequences.
See https://en.wikipedia.org/wiki/UTF-8 and https://tools.ietf.org/html/rfc3629 for more details.


Disclaimer: I haven't checked if these routines are actually being used by Intraweb.

Kind regards,
Arthur


Hi Arthur,

thanks for your report. I'm not sure if this function is actually used or not, but JCL units which are distributed with IW are:
1- Optional (IW doesn't rely on that in any way)
2- Used only by JclDebug which can be used as a way to obtain stack traces.
If you are not using JclDebug to obtain stack traces of exceptions, you have nothing to worry about. Besides that, it is not used anywhere in core request/response processing.
Arthur Hoornweg

Posts: 414
Registered: 6/2/98
Re: Possible security risk (Jedi unit used in Intraweb)
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 8, 2018 1:02 AM   in response to: Alexandre Machado in response to: Alexandre Machado
Alexandre Machado wrote:

If you are not using JclDebug to obtain stack traces of exceptions, you have nothing to worry about. Besides that, it is not used anywhere in core request/response processing.

Hi Alexandre,

thanks for clarifying that! I'll try and inform the Jedi guys of the issue.

Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02