ICEfaces
  1. ICEfaces
  2. ICE-6987

Security vulnerability with ServeCSSResource.java

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P03
          • Fix Version/s: EE-1.8.2.GA_P04
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            All

            Description

            A customer has run a security/vulnerability tests and found that there were some potential security issues with CSS resource path.

            Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
            Referer: http:// <servername:port>....TRUNCATED...

            Attack Response: HTTP/1.1 404 Not Found
            ETag: be339490
            Cache-Control: private
            Cache-Control: max-age=2629743
            Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
            Content-Type: text/plain; charset=UTF-8
            Content-Language: en-US
            Connection: Close
            Date: Thu, 23 Jun 2011 22:39:23 GMT
            Server: WebSphere Application Server/6.1
            Content-Length: 75
            Cannot find CSS file for /<ContextPath>/xmlhttp/css/

              Activity

              Ascending order - Click to sort in descending order
              Arran Mccullough created issue -
              Ken Fyten made changes -
              Field Original Value New Value
              Salesforce Case []
              Fix Version/s EE-2.0.0.GA_P01 [ 10271 ]
              Fix Version/s 2.1 [ 10241 ]
              Fix Version/s EE-1.8.2.GA_P04 [ 10280 ]
              Assignee Priority P1
              Assignee Mircea Toma [ mircea.toma ]
              Priority Major [ 3 ] Critical [ 2 ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #24942 Mon Jul 04 07:31:09 MDT 2011 mircea.toma ICE-6987 Avoid rendering the path of the resource in the HTTP 404 response.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeCSSResource.java
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #24943 Mon Jul 04 07:33:37 MDT 2011 mircea.toma ICE-6987 Avoid rendering the path of the resource in the HTTP 404 response.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/FileServer.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/common/standard/PathDispatcherServer.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeJSCode.java
              Hide
              Permalink
              Mircea Toma added a comment -

              Changed the code in 1.8 branch to not render the path of the resource in the HTTP 404 response. This might avoid any future security issues, although the rendered path represented the request path not the file system path.

              Show
              Mircea Toma added a comment - Changed the code in 1.8 branch to not render the path of the resource in the HTTP 404 response. This might avoid any future security issues, although the rendered path represented the request path not the file system path.
              Hide
              Permalink
              Mircea Toma added a comment -

              The 'compat' resources in ICEfaces 2.* are served by the CompatResourceServlet which already sends just "Resource not found" message in its 404 responses.

              Show
              Mircea Toma added a comment - The 'compat' resources in ICEfaces 2.* are served by the CompatResourceServlet which already sends just "Resource not found" message in its 404 responses.
              Mircea Toma made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Salesforce Case []
              Fix Version/s 2.1 [ 10241 ]
              Fix Version/s EE-2.0.0.GA_P01 [ 10271 ]
              Ken Fyten made changes -
              Salesforce Case []
              Security Private [ 10001 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]
              Assignee Priority P1
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #36621 Wed Jul 10 10:01:23 MDT 2013 arran.mccullough ICE-6987 Avoid rendering the path of the resource in the HTTP 404 response.
              Files Changed
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/FileServer.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeCSSResource.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeJSCode.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/common/standard/PathDispatcherServer.java

                People

                • Assignee:
                  Mircea Toma
                  Reporter:
                  Arran Mccullough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: