In the link I posted in my first reply, there are some T5.0.18 sites
that don't list WEB-INF, in some you can find the hibernate.cfg.xml
under /assets/, in some you don't.
Some also seem to implement the workaround, so there isn't any directory
listing.
But hey, the *default* is, everybody can read your configurations! I
found some database connection strings including username and passwords.
That's not automatically a backdoor, but it makes certain activities a
lot easier ;)
Please, Thiago, Howard, any commiter: fix this! :)
regards
christian
Thiago H. de Paula Figueiredo schrieb:
Em Tue, 25 Aug 2009 10:25:21 -0300, Onno Scheffers <o...@piraya.nl>
escreveu:
Apparently it does, since Christian also provided example-links.
I stand corrected.
I just checked and I can also publicly access resources like the
web.xml and hibernate.cfg.xml on a webapp that is already in
production using Tapestry 5.0.18. This is a *VERY* high priority
security-issue with Tapestry IMO.
Have you ever found some insecure resource URL that doesn't include
WEB-INF on it?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
