lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <e9c0e820-cc47-430f-bd8b-07a43833a920@gopivotal.com>
Date: Wed, 19 Feb 2014 02:14:01 -0800 (PST)
From: Pivotal Security Team <security@...ivotal.com>
To: security@...ivotal.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2014-0053 Information Disclosure when using
	Grails

CVE-2014-0053 Information Disclosure in Grails applications

Severity: Important

Vendor: Grails by Pivotal

Versions Affected:
- Grails 2.0.0 to 2.3.5

Description:
The Grails resources plug-in, a default dependency of Grails since
2.0.0, does not block access to resources located under /WEB-INF by
default. This means that both configuration files and class files
are publicly accessible when they should be private.

Mitigation:
Users of affected versions should apply one of the following
mitigations:
- Upgrade to Grails 2.3.6 and redeploy the application
- Configure the resources plugin to block access to /WEB-INF
- Prevent access to /WEB-INF in the reverse proxy (if one is used)

Possible configuration options to block access to /WEB-INF include
adding the following to grails-app/conf/Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']

Credit:
This issue was identified by @Ramsharan065 but was reported publicly
to the Grails team via Twitter. Pivotal strongly encourages responsible
reporting of security vulnerabilities via security@...ivotal.com

References:
https://twitter.com/Ramsharan065/status/434975409134792704
https://github.com/grails/grails-core/commit/2d5d2a8b3e40111412051dbbeb32eae005fdcf35
http://www.gopivotal.com/security/cve-2014-0054 (may take up to 24 hours to go live)

History:
2014-Feb-16: Issue made public
2014-Feb-19: Initial vulnerability report published
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ