William A. Rowe, Jr. wrote:
Mark Thomas wrote:
Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.
Mitigation:
6.0.x users should upgrade to 6.0.18
Stupid question, perhaps, but why weren't mitigations published with this
advisory? In general we want people to simply adopt the current version,
but if they don't match the vulnerability conditions (or are willing to
configure themselves away from them), this should not disrupt the active
installations.
What mitigations are you thinking of?
The description is intended to be sufficient for a user to determine if
they match the vulnerability conditions. And this for this notice I believe
it meets this criteria.
In this case there is no way of configuring yourself away from the
vulnerability. If you use a RequestDispatcher, you are vulnerable.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
