Security issue: web.xml for anonymous accessable
Issue
- Our web.xml is reachable by anonymous user by manipulating the resouceID of an resource request. For instance, the following URL:
<img src="http://localhost:8080/portal/public/classic/?portal%3AcomponentId=bf5ca0f9-78fb-45bf-bd6e-666fdcbdbf0d&portal%3Atype=resource&navigationalstate=...*&portal%3AwindowState=normal&portal%3AportletMode=view&portal%3AresourceID=/images/cardemo.jpg&portal%3AcacheLevel=PAGE" />
will present web.xml if resourceID=/images/cardemo.jpg is replaced with resourceID=/images/../WEB-INF/web.xml
Environment
- JBoss Enterprise Portal Platform (EPP) 5.1.1
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.