Error Handling - Do not include error details in the default jsp error pages
Issue date: 27-10-2020Affects versions: 14.2, 13.4, 12.6
Security Issue ID
SECURITY-140
Affected Product Version(s)
14.2.2, 13.4.3, 12.6.10 (and previous patch releases)
Severity
medium
Description
The error page templates created as default when using the Bloomreach Experience Manager archetype display information about the class of the exception when a 500 Internal Server Error occurs. This is an unnecesaary internal implementation detail that should not be revealed to users. For more information on writing custom error pages see Handle Error Codes and Exceptions in web.xml. For more information on best practices for handling site errors see the OWASP page for Improper Error Handling.
Instructions
When generating a new bXM project, use the Maven archetype version 14.3.0 and above, or 13.4.4 and above. This ensures that the default error pages for newly generated projects do not include unneeded details.
Customers are recommended to verify that existing projects follow recommendations for Error Handling and to update them according to Handle Error Codes and Exceptions in web.xml as needed.