Details
-
Type: Bug
-
Status: Closed
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: EE-1.8.2.GA_P03
-
Fix Version/s: EE-1.8.2.GA_P04
-
Component/s: Framework
-
Labels:None
-
Environment:All
Description
A customer has run a security/vulnerability tests and found that there were some potential security issues with CSS resource path.
Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
Referer: http:// <servername:port>....TRUNCATED...
Attack Response: HTTP/1.1 404 Not Found
ETag: be339490
Cache-Control: private
Cache-Control: max-age=2629743
Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
Content-Type: text/plain; charset=UTF-8
Content-Language: en-US
Connection: Close
Date: Thu, 23 Jun 2011 22:39:23 GMT
Server: WebSphere Application Server/6.1
Content-Length: 75
Cannot find CSS file for /<ContextPath>/xmlhttp/css/
Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
Referer: http:// <servername:port>....TRUNCATED...
Attack Response: HTTP/1.1 404 Not Found
ETag: be339490
Cache-Control: private
Cache-Control: max-age=2629743
Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
Content-Type: text/plain; charset=UTF-8
Content-Language: en-US
Connection: Close
Date: Thu, 23 Jun 2011 22:39:23 GMT
Server: WebSphere Application Server/6.1
Content-Length: 75
Cannot find CSS file for /<ContextPath>/xmlhttp/css/
Activity
Arran Mccullough
created issue -
Ken Fyten
made changes -
Field | Original Value | New Value |
---|---|---|
Salesforce Case | [] | |
Fix Version/s | EE-2.0.0.GA_P01 [ 10271 ] | |
Fix Version/s | 2.1 [ 10241 ] | |
Fix Version/s | EE-1.8.2.GA_P04 [ 10280 ] | |
Assignee Priority | P1 | |
Assignee | Mircea Toma [ mircea.toma ] | |
Priority | Major [ 3 ] | Critical [ 2 ] |
Repository | Revision | Date | User | Message |
ICEsoft Public SVN Repository | #24942 | Mon Jul 04 07:31:09 MDT 2011 | mircea.toma | |
Files Changed | ||||
MODIFY
/icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeCSSResource.java
|
Repository | Revision | Date | User | Message |
ICEsoft Public SVN Repository | #24943 | Mon Jul 04 07:33:37 MDT 2011 | mircea.toma | |
Files Changed | ||||
MODIFY
/icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/FileServer.java
MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/common/standard/PathDispatcherServer.java MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeJSCode.java |
Mircea Toma
made changes -
Status | Open [ 1 ] | Resolved [ 5 ] |
Resolution | Fixed [ 1 ] |
Ken Fyten
made changes -
Salesforce Case | [] | |
Fix Version/s | 2.1 [ 10241 ] | |
Fix Version/s | EE-2.0.0.GA_P01 [ 10271 ] |
Ken Fyten
made changes -
Salesforce Case | [] | |
Security | Private [ 10001 ] |
Ken Fyten
made changes -
Status | Resolved [ 5 ] | Closed [ 6 ] |
Assignee Priority | P1 |
Repository | Revision | Date | User | Message |
ICEsoft Public SVN Repository | #36621 | Wed Jul 10 10:01:23 MDT 2013 | arran.mccullough | |
Files Changed | ||||
MODIFY
/icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/FileServer.java
MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeCSSResource.java MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeJSCode.java MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/common/standard/PathDispatcherServer.java |
Changed the code in 1.8 branch to not render the path of the resource in the HTTP 404 response. This might avoid any future security issues, although the rendered path represented the request path not the file system path.