You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "lantian (JIRA)" <de...@myfaces.apache.org> on 2006/01/07 02:25:15 UTC
[jira] Created: (MYFACES-1008) security bug of myfaces
security bug of myfaces
------------------------
Key: MYFACES-1008
URL: http://issues.apache.org/jira/browse/MYFACES-1008
Project: MyFaces
Type: Bug
Components: Tomahawk
Versions: 1.1.1
Environment: windows 2000 ;
SUN JDK1.4.0.3 ;
Tomcat 5.0.28
Reporter: lantian
Priority: Critical
FACES SERVLET is not secure when useing prefix mapping such as /faces/* .
users can access any contents in WEB-INF directory.
try following in your faces website :
http://localhost/mywebsite/faces/WEB-INF/web.xml
http://localhost/mywebsite/faces/WEB-INF/lib/
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (MYFACES-1008) security bug of myfaces
Posted by "Dennis Byrne (JIRA)" <de...@myfaces.apache.org>.
[ http://issues.apache.org/jira/browse/MYFACES-1008?page=all ]
Dennis Byrne resolved MYFACES-1008:
-----------------------------------
Fix Version: Nightly
Resolution: Fixed
Should work now for the following :
/faces/./WEB-INF/web.xml
/faces/../WEB-INF/web.xml
/faces/WEB-INF%2fweb.xml
/faces/wEB-INF/
/faces/WEB-INF/
/faces/WEB-INF
... and META-INF .
> security bug of myfaces
> ------------------------
>
> Key: MYFACES-1008
> URL: http://issues.apache.org/jira/browse/MYFACES-1008
> Project: MyFaces
> Type: Bug
> Components: Tomahawk
> Versions: 1.1.1
> Environment: windows 2000 ;
> SUN JDK1.4.0.3 ;
> Tomcat 5.0.28
> Reporter: lantian
> Assignee: Dennis Byrne
> Priority: Critical
> Fix For: Nightly
>
> FACES SERVLET is not secure when useing prefix mapping such as /faces/* .
> users can access any contents in WEB-INF directory.
> try following in your faces website :
> http://localhost/mywebsite/faces/WEB-INF/web.xml
> http://localhost/mywebsite/faces/WEB-INF/lib/
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (MYFACES-1008) security bug of myfaces
Posted by "Martin Marinschek (JIRA)" <de...@myfaces.apache.org>.
[ http://issues.apache.org/jira/browse/MYFACES-1008?page=all ]
Martin Marinschek closed MYFACES-1008:
--------------------------------------
> security bug of myfaces
> ------------------------
>
> Key: MYFACES-1008
> URL: http://issues.apache.org/jira/browse/MYFACES-1008
> Project: MyFaces
> Type: Bug
> Components: Tomahawk
> Versions: 1.1.1
> Environment: windows 2000 ;
> SUN JDK1.4.0.3 ;
> Tomcat 5.0.28
> Reporter: lantian
> Assignee: Dennis Byrne
> Priority: Critical
> Fix For: Nightly
>
> FACES SERVLET is not secure when useing prefix mapping such as /faces/* .
> users can access any contents in WEB-INF directory.
> try following in your faces website :
> http://localhost/mywebsite/faces/WEB-INF/web.xml
> http://localhost/mywebsite/faces/WEB-INF/lib/
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira