Home page logo

fulldisclosure logo Full Disclosure mailing list archives

CVE-2014-0053 Information Disclosure when using Grails
From: Pivotal Security Team <security () gopivotal com>
Date: Wed, 19 Feb 2014 02:14:01 -0800 (PST)

CVE-2014-0053 Information Disclosure in Grails applications

Severity: Important

Vendor: Grails by Pivotal

Versions Affected:
- Grails 2.0.0 to 2.3.5

The Grails resources plug-in, a default dependency of Grails since
2.0.0, does not block access to resources located under /WEB-INF by
default. This means that both configuration files and class files
are publicly accessible when they should be private.

Users of affected versions should apply one of the following
- Upgrade to Grails 2.3.6 and redeploy the application
- Configure the resources plugin to block access to /WEB-INF
- Prevent access to /WEB-INF in the reverse proxy (if one is used)

Possible configuration options to block access to /WEB-INF include
adding the following to grails-app/conf/Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']

This issue was identified by @Ramsharan065 but was reported publicly
to the Grails team via Twitter. Pivotal strongly encourages responsible
reporting of security vulnerabilities via security () gopivotal com

http://www.gopivotal.com/security/cve-2014-0054 (may take up to 24 hours to go live)

2014-Feb-16: Issue made public
2014-Feb-19: Initial vulnerability report published
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]