Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2190

DefaultServlet serves CSS and JS blobs even if directory listing is disabled

    XMLWordPrintable

Details

    Description

      Looking at the code, this probably affects the `ResourceHandler` class, but I'm not using it at the moment to test.

      If you have a deployment which has disabled directory listing, you can still get Undertow to serve up the CSS and JS blobs if you hit a real folder with ?css or ?js in the query string.  This is because both the `DefaultServlet` and `ResourceHandler` serve up the CSS and JS blobs before every checking if directory listing is enabled.  

       

      While the contents of the CSS/JS files aren't sensitive, this can be used as an information disclosure to detect whether a server is running Undertow by guessing a well-known directory name.  

      Here are real examples from one of my production servers which is "locked down" and has directory listing disabled.  I would not expect these to return the CSS and JS content.

      https://www.ortussolutions.com/config/?css

      https://www.ortussolutions.com/config/?js

       

      Attachments

        Activity

          People

            rhn-support-rmartinc Ricardo Martin Camarero
            bdw429s Brad Wood
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: