ABSTRACT

The application server persists sensitive information to disk in an unencrypted format. This data may not be removed under all conditions.

EXPLANATION

Configuring a Chart Image handler to persist images to disk may result in a privacy violation if the chart contains sensitive information.

Example 1: The following application setting within the web.config file forces a Data Visualization control to persist any graphs it produces to disk:


<configuration>
<appSettings>
<add key="ChartImageHandler" value="storage=file;timeout=20;deleteAfterServicing=false;" />
</appSettings>
</configuration>



The value attribute of the add element contains the setting "storage=file". This is problematic if any Data Visualization control displays sensitive data to the user because .NET stores the image in an unencrypted format on disk.

To make matters worse, this element contains the problematic attribute "deleteAfterServicing=false". This instructs .NET to not delete an image after the infrastructure has served it to the user. If the image is sensitive, .NET will not delete it and it is now available for future inspection.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 359

[4] ImageStorageMode Enumeration Microsoft

[5] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4