Security Hole in javax.faces.resource allows path traversal
843844Aug 26 2010 — edited Sep 7 2010There's a security hole with how resources are handled in JSF. Resources (images, css, etc.) come-in thru with the url pattern of "...../javax.faces.resource/....". The problem is, a hacker can do something like:
project-name/javax.faces.resources/stylesheet.css.jsf?ln=\..\..\..\..\sensitive.txt%00.html
JSF will allow this to happen and display the contents of that file. The Security Team at my company was able to examine my teams Glassfish domain.xml file and get username/password information and were able to break into our database.
Our solution was to create a ServletFilter which checks for the ".." pattern; a.k.a. "dot dot slash". If the filter finds a ".." pattern then it won't allow further processing (it displays an html 500 error page).
Does anyone have a better solution to this problem?
Dows anyone know why such a huge security hole was left un-check by the developers of JSF 2.0?
Thanks!