Folks! As described here
http://www.milw0rm.com/exploits/4567 there is a security bug in the current Slide release. Using the LOCK methode it is possible to display content from your local file system. This works by passing over literate XML that contains entities that refer to your local file system. AFAIK this can not be prevented by the XML implementation Slide uses (JDOM). A quick fix would be to disable the LOCK method in the web.xml by commenting it out or removing it. I have also committed a patched LockMethod.java that does not return literate XML at all. This may cause trouble with the owner filed that some clients require, but it is the best I can do for now. It is checked in in the Slide 2.1 release branch and in the HEAD branch. For existing Slide 2.1 installations it would suffice to check out, compile and replace the LockMethod class. You can do so by copying it in the the WEB-INF/class folder including all package directories. If you grant outside access to your Slide WebDAVServer be sure to take care of this bug. Cheers Oliver --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
