Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-10877

Seam WebResource causes potential Path Vulnerability

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • EAP_EWP 5.3.0.ER1
    • EAP_EWP 5.1.0
    • Seam2
    • None
    • Release Notes
    • In previous releases of JBoss EAP 5, Seam WebResource could cause a potential path vulnerability. This release of the product sees the removal of WebResource as Seam not longer uses it. This action, therefore, also resolves the vulnerability issue.
    • Documented as Resolved Issue
    • NEW

      Whenever a user uses jboss-seam-ui.jar in his application a org.jboss.seam.ui.resource.WebResource is automatically started and when certain url is accessed 

      #{path_to_app}/seam/resource/web

      an archive with WebResource class is downloaded, i.e. anything in org.jboss.seam.ui.resource package can be accessed from outside.

      This is a potential vulnerability, since attacker can see parts of the implementation of the application.

            mnovotny@redhat.com Marek Novotny
            rhn-support-jtrantin Jonáš Trantina (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: