Em Tue, 25 Aug 2009 11:01:58 -0300, Christian Riedel
<christian-rie...@gmx.net> escreveu:
In the link I posted in my first reply, there are some T5.0.18 sites
that don't list WEB-INF, in some you can find the hibernate.cfg.xml
under /assets/, in some you don't.
Some also seem to implement the workaround, so there isn't any directory
listing.
As far as I can remember, Tapestry 5.0 had a different security bug than
5.1. Please let me know if I'm wrong.
But hey, the *default* is, everybody can read your configurations! I
found some database connection strings including username and passwords.
That's not automatically a backdoor, but it makes certain activities a
lot easier ;)
You're absolutely right. It should have been secure by default.
Please, Thiago, Howard, any commiter: fix this! :)
Everyone is invited to contribute to the solution by posting all the ways
we can have access to assets that shouldn't be available. ;)
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
