Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-10877

Seam WebResource causes potential Path Vulnerability

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • EAP_EWP 5.3.0.ER1
    • EAP_EWP 5.1.0
    • Seam2
    • None
    • Release Notes
    • In previous releases of JBoss EAP 5, Seam WebResource could cause a potential path vulnerability. This release of the product sees the removal of WebResource as Seam not longer uses it. This action, therefore, also resolves the vulnerability issue.
    • Documented as Resolved Issue
    • NEW

    Description

      Whenever a user uses jboss-seam-ui.jar in his application a org.jboss.seam.ui.resource.WebResource is automatically started and when certain url is accessed 

      #{path_to_app}/seam/resource/web

      an archive with WebResource class is downloaded, i.e. anything in org.jboss.seam.ui.resource package can be accessed from outside.

      This is a potential vulnerability, since attacker can see parts of the implementation of the application.

      Attachments

        Issue Links

          blocks

          Task - Represents a small unit of work that is not end-user facing. JBPAPP-10959 Upgrade Seam to 2.2.7.EAP5

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              mnovotny@redhat.com Marek Novotny
              rhn-support-jtrantin Jonáš Trantina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: