View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006852 | SymmetricDS Pro | Bug | public | 2025-04-28 12:53 | 2025-05-05 16:34 |
| Reporter | elong | Assigned To | elong | ||
| Priority | normal | ||||
| Status | closed | Resolution | fixed | ||
| Product Version | 3.15.0 | ||||
| Target Version | 3.15.16 | Fixed in Version | 3.15.16 | ||
| Summary | 0006852: Disallow access to WEB-INF | ||||
| Description | On Windows server with standalone deployment based on Jetty, it is possible to retrieve URLs under WEB-INF by adding a period to the path. An actor could gain access to JAR files in WEB-INF/lib, including symmetric-pro JAR files. However, these files are already publicly available and obfuscated. The requests do not work on Mac or Linux servers, only Windows. | ||||
| Steps To Reproduce | http://localhost/WEB-INF./web.xml | ||||
| Tags | security | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-04-28 12:53 | elong | New Issue | |
| 2025-04-28 12:53 | elong | Status | new => assigned |
| 2025-04-28 12:53 | elong | Assigned To | => elong |
| 2025-04-28 12:53 | elong | Tag Attached: security | |
| 2025-04-28 12:58 | elong | Status | assigned => resolved |
| 2025-04-28 12:58 | elong | Resolution | open => fixed |
| 2025-04-28 12:58 | elong | Fixed in Version | => 3.15.16 |
| 2025-04-28 12:58 | elong | Issue cloned: 0006853 | |
| 2025-04-28 12:58 | elong | Relationship added | related to 0006853 |
| 2025-05-05 16:34 | pbelov | Note Added: 0002879 | |
| 2025-05-05 16:34 | pbelov | Status | resolved => closed |