You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "Howard M. Lewis Ship (JIRA)" <ta...@jakarta.apache.org> on 2005/03/12 21:57:57 UTC

[jira] Updated: (TAPESTRY-281) asset service has security flaw

     [ http://issues.apache.org/jira/browse/TAPESTRY-281?page=history ]

Howard M. Lewis Ship updated TAPESTRY-281:
------------------------------------------

      Assign To: Howard M. Lewis Ship
        Version: 3.1
                     (was: 3.0.2)
    Fix Version: 3.1

> asset service has security flaw
> -------------------------------
>
>          Key: TAPESTRY-281
>          URL: http://issues.apache.org/jira/browse/TAPESTRY-281
>      Project: Tapestry
>         Type: Bug
>   Components: Framework
>     Versions: 3.1
>  Environment: Tomcat 5, JDK 1.4
>     Reporter: Howard M. Lewis Ship
>     Assignee: Howard M. Lewis Ship
>      Fix For: 3.1

>
> The asset service can be used to view files that should not be visible.  This could expose important resources, including database passwords and connection information.
> The asset service appears to expose any file relative to the classpath, and you can even use the ".." operator to go backwards, down into WEB-INF in general.
> Here are some examples.  They were tested on a demo application which is often available on the web, but they've been "cleaned," so they don't point to a real server anymore:
> * View the web.xml file:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Fweb.xml
> * View the tapestry.application file:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Ftapestry.application
> * View a raw JSP file:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2F..%2F404.jsp
> * Download a few class files that are part of the application:
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FMessageFilter.class
> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FBaseEngine.class

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org