[jetty-dev] security vulnerability in ResourceHandler and DefaultServlet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] security vulnerability in ResourceHandler and DefaultServlet with aliases

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Thu, 30 Apr 2009 16:36:27 +1000
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Thunderbird 2.0.0.21 (X11/20090409)

A security vulnerability has been discovered in jetty that affects
all version of Jetty up to and including jetty 6.1.16 and 7.0.0.M2
On a vulnerable server, a crafted URL may access files outside of
the web application or document tree.

To be vulnerable to this issue, you must EITHER:

  * be using the DefaultServlet with support for aliases
    explicitly turned on.

OR

  * be using the ResourceHandler class to serve static content.

Furthermore, on unix systems, system are only vulnerable if directory
with a name ending with the character '?' to exist in the webapp or
docroot. On unix, this is an unlikely situation.

On windows systems, this directory does not need to exist, so
the vulnerability requires only a single change from the default
configuration.

The default configuration of webapplications is not vulnerable
and if you have not edited the webdefault.xml file, then your
application should not be affected.

This is being tracked in http://jira.codehaus.org/browse/JETTY-1004.

A 6.1.17 release will be available shortly with this vulnerability
closed. Some immediate preventative actions are listed below.

If you are not using the ResourceHandler, then you should
confirm that your jetty instance is running with
the Default servlet "aliases" initParam set to "false".
You will find this setting in either your application's
web.xml or the etc/webdefault.xml. If it is not set,
then it takes the default, safe, value of "false".
You should also check that the
org.mortbay.util.FileResource.checkAliases
system property is either not set, or set to true.

If you are using the ResourceHandler, then you can secure your
system against this vulnerability by compiling the source
at the bottom of this message against the version of Jetty
that you are using. Use an instance of this class instead
of the ResourceHandler

If you have any questions about this, please do not
hesitate to ask the jetty team

----------------------------------------------------------------------

 package org.mortbay.jetty.cert;
 import java.net.MalformedURLException;
 import org.mortbay.jetty.handler.ResourceHandler;
 import org.mortbay.resource.Resource;
 import org.mortbay.util.StringUtil;
 import org.mortbay.util.URIUtil;
 public class TempFixResourceHandler extends ResourceHandler
 {
     public Resource getResource(String path) throws MalformedURLException
     {
         if (path!=null && path.indexOf('?')>=0)
         {
             path=URIUtil.decodePath(URIUtil.canonicalPath(StringUtil.replace(path,"?","%3F")));
             if (path==null)
                 return null;
         }
         return super.getResource(path);
     }
 }

Prev by Date: [jetty-dev] Jetty @ Eclipse Webinar coming up
Next by Date: Re: [jetty-dev] Servlet-3.0 WebApp configuration
Previous by thread: [jetty-dev] Jetty @ Eclipse Webinar coming up
Next by thread: [jetty-dev] eclipse conditioning process
Index(es):
- Date
- Thread

Breadcrumbs