Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-21678

Information disclosure from share

    Details

    • Security Severity:
      Low
    • Resolution Time Custom Field:
      66 weeks, 1 day, 10 hours, 46 minutes, 57 seconds

      Description

      By design, share serves up resources to unauthenticated from any META-INF directory on the classpath. For example:

      curl https://your-alfresco-site/share/res/maven/org.alfresco/alfresco-core/pom.properties

      1. gives you back the pom properties

      It is an open source project so all of the out of the box information is available to any member of the public anyway, however it's possible that a jar might include files in META-INF that are sensitive and these would be served up. For example, I might have a jar in my tomcat/common classpath that, unintentionally or otherwise, contains credentials of some kind. All an attacker needs to do is try some standard names for config files and they have it, e.g.:

      curl https://your-alfresco-site/share/res/db.properties

      The servlet 3.0 does something like this as well, but it at least restricts it to a subpath under META-INF.

      I've also seen that there seems to be a bunch of patterns you can configure to deny access, but the OOTB is quite permissive.

        Attachments

          Activity

            People

            • Assignee:
              closedissues Closed Issues
              Reporter:
              nickg.catalyst Nick Griffiths
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 minutes
                5m