[JSPWIKI-1095] Local File Inclusion (limited ROOT folder) leads to user information disclosure - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.9, 2.9.1, 2.10, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0-M1, 2.11.0-M2
Fix Version/s: 2.11.0-M3
Component/s: None
Labels:
None

Description

DefaultURLConstructor#getForwardPage(req) allows a specially crafted url to access files under the ROOT directory of the application, including, but not limited to, userdatabase.xml.

Reported by Muthukumar Marikani.

Attachments

Activity

People

Assignee:: Juan Pablo Santos Rodríguez

Reporter:: Juan Pablo Santos Rodríguez

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/Mar/19 21:44

Updated:: 26/Mar/19 21:51

Resolved:: 21/Mar/19 22:09