incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske (JIRA)" <>
Subject [jira] Updated: (JSPWIKI-315) Attachment upload allows .jsp files
Date Sat, 23 Aug 2008 16:55:44 GMT


Harry Metske updated JSPWIKI-315:

    Security:     (was: Security Vulnerability Disclosure)

> Attachment upload allows .jsp files
> -----------------------------------
>                 Key: JSPWIKI-315
>                 URL:
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Core & storage
>    Affects Versions: 2.7.x
>         Environment: All
>            Reporter: Andrew Jaquith
>             Fix For: 2.6.4, 2.8
> As described in the vulnerability disclosure. An uploaded file attachment, if a JSP,
will execute when viewed.  Steps to reproduce:
> 1. Create a JSP called Foo.jsp with these contents: URI: <%=request.getRequestURI()%>
> 2. Navigate to page Main and upload this attachment/
> 3. Supplying the URL http://localhost:8080/JSPWiki/Foo.jsp will execute the JSP and display
the URI.
> However, uploading a file that contains JSP content, but does NOT have the .jsp suffix
seems fine. E.g., http://localhost:8080/JSPWiki/Bar (no extension) does cause the contents
of Bar to be compiled and executed. 
> Recommendation: any files with .jsp extension should be forcibly stripped out from the
file, or else simply rejected.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message