Details
-
Type: Bug
-
Status: Closed
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: EE-1.8.2.GA_P03
-
Fix Version/s: EE-1.8.2.GA_P04
-
Component/s: Framework
-
Labels:None
-
Environment:All
Description
A customer has run a security/vulnerability tests and found that there were some potential security issues with CSS resource path.
Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
Referer: http:// <servername:port>....TRUNCATED...
Attack Response: HTTP/1.1 404 Not Found
ETag: be339490
Cache-Control: private
Cache-Control: max-age=2629743
Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
Content-Type: text/plain; charset=UTF-8
Content-Language: en-US
Connection: Close
Date: Thu, 23 Jun 2011 22:39:23 GMT
Server: WebSphere Application Server/6.1
Content-Length: 75
Cannot find CSS file for /<ContextPath>/xmlhttp/css/
Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
Referer: http:// <servername:port>....TRUNCATED...
Attack Response: HTTP/1.1 404 Not Found
ETag: be339490
Cache-Control: private
Cache-Control: max-age=2629743
Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
Content-Type: text/plain; charset=UTF-8
Content-Language: en-US
Connection: Close
Date: Thu, 23 Jun 2011 22:39:23 GMT
Server: WebSphere Application Server/6.1
Content-Length: 75
Cannot find CSS file for /<ContextPath>/xmlhttp/css/
Changed the code in 1.8 branch to not render the path of the resource in the HTTP 404 response. This might avoid any future security issues, although the rendered path represented the request path not the file system path.