ICEfaces
  1. ICEfaces
  2. ICE-6987

Security vulnerability with ServeCSSResource.java

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P03
          • Fix Version/s: EE-1.8.2.GA_P04
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            All

            Description

            A customer has run a security/vulnerability tests and found that there were some potential security issues with CSS resource path.

            Attack Request: GET /<ContextPath>/xmlhttp/css/%3csCrIpT%3ealert(73888)%3c%2fsCrIpT%3e HTTP/1.1
            Referer: http:// <servername:port>....TRUNCATED...

            Attack Response: HTTP/1.1 404 Not Found
            ETag: be339490
            Cache-Control: private
            Cache-Control: max-age=2629743
            Last-Modified: Thu, 23 Jun 2011 16:39:20 GMT
            Content-Type: text/plain; charset=UTF-8
            Content-Language: en-US
            Connection: Close
            Date: Thu, 23 Jun 2011 22:39:23 GMT
            Server: WebSphere Application Server/6.1
            Content-Length: 75
            Cannot find CSS file for /<ContextPath>/xmlhttp/css/

              Activity

              Repository Revision Date User Message
              ICEsoft Public SVN Repository #36621 Wed Jul 10 10:01:23 MDT 2013 arran.mccullough ICE-6987 Avoid rendering the path of the resource in the HTTP 404 response.
              Files Changed
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/FileServer.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeCSSResource.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeJSCode.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/webapp/http/common/standard/PathDispatcherServer.java
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #24943 Mon Jul 04 07:33:37 MDT 2011 mircea.toma ICE-6987 Avoid rendering the path of the resource in the HTTP 404 response.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/FileServer.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/common/standard/PathDispatcherServer.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeJSCode.java
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #24942 Mon Jul 04 07:31:09 MDT 2011 mircea.toma ICE-6987 Avoid rendering the path of the resource in the HTTP 404 response.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/ServeCSSResource.java

                People

                • Assignee:
                  Mircea Toma
                  Reporter:
                  Arran Mccullough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: