ICEfaces
  1. ICEfaces
  2. ICE-6987

Security vulnerability with ServeCSSResource.java

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P03
          • Fix Version/s: EE-1.8.2.GA_P04
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            All

            Description

            A customer has run a security/vulnerability tests and found that there were some potential security issues with CSS resource path.

            Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
            Referer: http:// <servername:port>....TRUNCATED...

            Attack Response: HTTP/1.1 404 Not Found
            ETag: be339490
            Cache-Control: private
            Cache-Control: max-age=2629743
            Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
            Content-Type: text/plain; charset=UTF-8
            Content-Language: en-US
            Connection: Close
            Date: Thu, 23 Jun 2011 22:39:23 GMT
            Server: WebSphere Application Server/6.1
            Content-Length: 75
            Cannot find CSS file for /<ContextPath>/xmlhttp/css/

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              Mircea Toma added a comment -

              Changed the code in 1.8 branch to not render the path of the resource in the HTTP 404 response. This might avoid any future security issues, although the rendered path represented the request path not the file system path.

              Show
              Mircea Toma added a comment - Changed the code in 1.8 branch to not render the path of the resource in the HTTP 404 response. This might avoid any future security issues, although the rendered path represented the request path not the file system path.
              Hide
              Permalink
              Mircea Toma added a comment -

              The 'compat' resources in ICEfaces 2.* are served by the CompatResourceServlet which already sends just "Resource not found" message in its 404 responses.

              Show
              Mircea Toma added a comment - The 'compat' resources in ICEfaces 2.* are served by the CompatResourceServlet which already sends just "Resource not found" message in its 404 responses.

                People

                • Assignee:
                  Mircea Toma
                  Reporter:
                  Arran Mccullough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: