[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=161851#comment-161851 ] dogfood commented on JENKINS-11538: --- Integrated in !http://ci.jenkins-ci.org/images/16x16/blue.png! [jenkins_ui-changes_branch #21|http://ci.jenkins-ci.org/job/jenkins_ui-changes_branch/21/] [FIXED JENKINS-11538] integrated Stapler 1.187 that contains the fix. (Revision 9acf12f7976bd97bfa125e4b715ae340be8c1715) Result = SUCCESS Kohsuke Kawaguchi : [9acf12f7976bd97bfa125e4b715ae340be8c1715|https://github.com/jenkinsci/jenkins/commit/9acf12f7976bd97bfa125e4b715ae340be8c1715] Files : * core/pom.xml Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=161384#comment-161384 ] Steve Betts commented on JENKINS-11538: --- These changes are a good step and remove the vulnerability for WEB-INF and META-INF attacks, but this does nothing for the https://server/scripts./behavior.js attack. Please don't forget that facet too. Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] SCM/JIRA link daemon resolved JENKINS-11538. Resolution: Fixed Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=161390#comment-161390 ] SCM/JIRA link daemon commented on JENKINS-11538: Code changed in jenkins User: Kohsuke Kawaguchi Path: core/pom.xml http://jenkins-ci.org/commit/jenkins/9acf12f7976bd97bfa125e4b715ae340be8c1715 Log: [FIXED JENKINS-11538] integrated Stapler 1.187 that contains the fix. Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=161393#comment-161393 ] dogfood commented on JENKINS-11538: --- Integrated in !http://ci.jenkins-ci.org/images/16x16/yellow.png! [jenkins_main_trunk #1649|http://ci.jenkins-ci.org/job/jenkins_main_trunk/1649/] [FIXED JENKINS-11538] integrated Stapler 1.187 that contains the fix. (Revision 9acf12f7976bd97bfa125e4b715ae340be8c1715) Result = UNSTABLE Kohsuke Kawaguchi : [9acf12f7976bd97bfa125e4b715ae340be8c1715|https://github.com/jenkinsci/jenkins/commit/9acf12f7976bd97bfa125e4b715ae340be8c1715] Files : * core/pom.xml Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=161362#comment-161362 ] johno commented on JENKINS-11538: - Please see https://github.com/stapler/stapler/pull/6/files for proposed patch. Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11538) Jenkins serves existing files regardless of security
[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=161363#comment-161363 ] johno commented on JENKINS-11538: - Another attack url for systems with non case sensitive file system eg. https://server/WEb-InF/web.xml Jenkins serves existing files regardless of security Key: JENKINS-11538 URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 Project: Jenkins Issue Type: Bug Components: security, www Affects Versions: current Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone servlet engine 0.9.10 Reporter: Steve Betts Priority: Critical an url of the form (note the dot): https:/server/WEB-INF./web.xml will return the file, even with security turned on and the client unauthenticated. As will any other url that references a valid filename with a '.' after the first directory name, such as https://server/scripts./behavior.js. these behaviors are considered culnerabilites by our large corporation. http://xforce.iss.net/xforce/xfdb/9446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira