Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-1095

Local File Inclusion (limited ROOT folder) leads to user information disclosure

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.9, 2.9.1, 2.10, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0-M1, 2.11.0-M2
    • Fix Version/s: 2.11.0-M3
    • Component/s: None
    • Labels:
      None

      Description

      DefaultURLConstructor#getForwardPage(req) allows a specially crafted url to access files under the ROOT directory of the application, including, but not limited to, userdatabase.xml.

      Reported by Muthukumar Marikani.

        Attachments

          Activity

            People

            • Assignee:
              juanpablo Juan Pablo Santos Rodríguez
              Reporter:
              juanpablo Juan Pablo Santos Rodríguez
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: