Programmer failure for CMS (BOcare) site ?

[Elixer]

No, this isn't political, so keep that crap out of this thread.

I find this funny...yet sad at the same time... talk about failures!

Why in the world are they using java is that a CMS thing or something?
What is worse, why are these people posting urls to the main servers it is talking to or any of the stuff that is shown, and the stuff that isn't displayed (in the zip file) ?
All this information is what people looking to attack or penetrate the site need...
You would think they would be under NDA for this stuff.
Anyone else seen anything like this before ?

https://www.java.net/forum/topic/gl...ement-mapping-exists-when-binding-xml-objects

javax.xml.bind.annotation.XmlElementDecl$GLOBAL, substitutionHeadName=InsuranceApplicant, defaultValue=, substitutionHeadNamespace=http://hix.cms.gov/0.1/hix-core, namespace=http://applicant-eligibility.ee.ffe.cms.gov/extension/1.0,

mods, didn't know the correct location for this thread.. it has to do with programming failures, but, I guess it could also be security or even OT.. so feel free to move it.

 

[tfinch2]

I assume you are talking about healthcare.gov?

As far as using Java, it is a perfectly fine programming language choice for a web application.

Other than that, I can't decipher much else from your post to answer your questions.

 

[Markbnj]

I'm afraid I'm with tfinch2. I don't get your point. Is the failure that they posted code that is apparently revealing? It's certainly a big mess, so I can't tell if it is revealing very much. Btw, with respect to tfinch2's comment about healthcare.gov, if that is somehow related to all this then note that it doesn't appear on that page. There are some .gov namespaces but who the hell knows what that's all about. They're apparently using some heavy-handed Java framework, but for all I know it might be the best thing since sliced bread for government work.

 

[KB]

It looks like it is a government programmer asking for help on a java forum and he is posting his stacktrace along with some sample code. I looked through the code and it isn't the whole project, but instead mostly generated code from a particular java framework. If I was his boss I would ask him to update the post and remove the files, but I don't think he has exposed too much of the website and I wouldn't fire him. The urls in the stacktrace are inaccessible and are likely just namespaces or internal urls.

 

[DaveSimmons]

> Why in the world are they using java is that a CMS thing or something?

Java and its frameworks work well on the server side. You might be confusing web browser java exploits with the safety and stability of running Java on servers.

> All this information is what people looking to attack or penetrate the site need...

Namespaces won't help attackers. They are web service definition and versioning information.

 

[Leros]

As others have said, Java is a great language for web backends. It might be one of the most popular languages. I know it's used by big companies like Google and Amazon. Also, there are enormous amounts of Java frameworks and libraries geared towards web development.

 

[IHateMyJob2004]

I once was reading some FUBAR code but fairly complicated. Then I saw a strange comemnt like "Rocket blasts off". I found it odd, so I googled the comment to see where they stole the code from. Turns out they didn't find it, but I did find the forum this government contractor (on a top secret program) did ask for help with his/her code. Just shook my head.

 

[slugg]

Why in the world are they using java is that a CMS thing or something?

I'm having a hard time answering your question, since it's not a reasonably well formulated sentence. But here's a stab at it.
1. They are using Java because they chose to use it.
2. No, Java is not a CMS. It's a programming language.

What is worse, why are these people posting urls to the main servers it is talking to or any of the stuff that is shown, and the stuff that isn't displayed (in the zip file) ?

I'm having a hard time answering your question, since it's not a reasonably well formulated sentence. Are you asking if it's worse to post URLs rather than to not display stuff in a zip file? You lost me.

All this information is what people looking to attack or penetrate the site need...

Trust me, penetration testing will reveal what needs to be revealed.

You would think they would be under NDA for this stuff.

JAX-WS is not under NDA. The rest of the service related information doesn't really give out anything worth noting. Nobody cares.

Anyone else seen anything like this before ?

Have you ever heard of Stack Overflow?

mods, didn't know the correct location for this thread.. it has to do with programming failures, but, I guess it could also be security or even OT.. so feel free to move it.

Oh I get it now; you fail.