[ http://issues.apache.org/jira/browse/TAPESTRY-278?page=all ] Brian K. Wallace closed TAPESTRY-278: -------------------------------------
> Tapestry 3.0.2 asset service has security flaw > ---------------------------------------------- > > Key: TAPESTRY-278 > URL: http://issues.apache.org/jira/browse/TAPESTRY-278 > Project: Tapestry > Type: Bug > Components: Framework > Versions: 3.0.2 > Environment: Tomcat 5, JDK 1.4 > Reporter: Nathan Kopp > Assignee: Paul Ferraro > Fix For: 3.0.3 > Attachments: AssetService.patch > > The asset service can be used to view files that should not be visible. This > could expose important resources, including database passwords and connection > information. > The asset service appears to expose any file relative to the classpath, and > you can even use the ".." operator to go backwards, down into WEB-INF in > general. > Here are some examples. They were tested on a demo application which is > often available on the web, but they've been "cleaned," so they don't point > to a real server anymore: > * View the web.xml file: > http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Fweb.xml > * View the tapestry.application file: > http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Ftapestry.application > * View a raw JSP file: > http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2F..%2F404.jsp > * Download a few class files that are part of the application: > http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FMessageFilter.class > http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FBaseEngine.class -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
