[
https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sebastiaan van Erk updated WICKET-4431:
---------------------------------------
Comment: was deleted
(was: As an extra point to show that this is not the same issue, one can also
access web.xml using the following URL:
http://localhost:8080/wicket/resource/Default/WEB-INF/web.xml
Where Default is a class in the default package. This would require a class in
the default package of course, and you to know it, but this is not as hard to
find as one might think (for example, many obfuscators put classes with easily
guessable names in the default package such as Za; just using a library with
one of those obfuscated classes in it is enough to make this attack work again).
)
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing
> us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
