[
https://issues.apache.org/jira/browse/JSPWIKI-72?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Holeczek closed JSPWIKI-72.
-----------------------------------
> Ounce Labs Security Finding: Access Control - Forced Browsing Security Config
> ------------------------------------------------------------------------------
>
> Key: JSPWIKI-72
> URL: https://issues.apache.org/jira/browse/JSPWIKI-72
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Andrew Jaquith
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description:
> Any users (unauthenticated/authenticated/asserted) can force browse to this
> page and gain pseudo sensitive information about the security configurations
> of the application. This pages details various security configuration of the
> site, including the access control definition, etc. Using this information
> an attacker can determine potential access control weaknesses or
> misconfiguration related to security. It appears that this page is intended
> to only be accessed by administrators, however the access control check on
> this page is not in place, allowing any user invocation.
> URL: http://localhost:8080/admin/SecurityConfig.jsp
> Recommendation:
> Consider calling "wikiContext.hasAccess" and/or the appropriate authorization
> mechanism to ensure that only privileged administrative users can access this
> page.
> Related Code Locations:
> 1 findings:
> Name: JSPWiki_2_4_104.admin.SecurityConfig_jsp.jspInit():void
> Type: Vulnerability.AccessControl
> Severity: High
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\admin\SecurityConfig.jsp
> Line / Col: 10 / 0
> Context: this . javax.servlet.GenericServlet.getServletConfig ()
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
