Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23438

XJetty allow accessing any application file through URL

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Hi,

       

      It seems that the debian packages for XWiki with jetty "xwiki-xjetty-common, xwiki-xjetty-mariadb 16.10.10" have an insecure default configuration. 

      "Various application or web servers / products are prone to an information disclosure vulnerability.

      Detection Result

      Vulnerable URL: https://xwiki.example.com/webapps/root/WEB-INF/web.xml

      "

      I know it is a local configuration issue on the system - the problem is I have used the default config of the package xwiki-jetty-common without any changes. I would expect the servlet container to prohibit this by default, as Tomcat does, for example.

      And that is the very dangerous thing in my opinion...

       
      MichaelHamann:
      I confirm in the Jetty demo distribution I can also access the URLs /webapps/xwiki/WEB-INF/xwiki.properties and /webapps/xwiki/WEB-INF/hibernate.cfg.xml (which definitely shouldn't be possible).

      Attachments

        Issue Links

          is caused by

          Task - A task that needs to be done. XWIKI-21211 Upgrade the standalone packaging to Jetty 12.0.12

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              sepp_huber Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: