|
Description
|
|
A vulnerability has been identified in JSFTemplating, Mojarra Scales, and GlassFish, which could be exploited by attackers to gain unauthorized access to arbitrary files on a vulnerable system. This issue is caused by an input validation error in the "jsft_resource.jsf" script that does not validate the "filename" parameter, which could be exploited to disclose the contents of arbitrary files on a vulnerable system.
An input validation error in the "scales_static_resource.jsf" file when processing the "file" parameter could allow attackers to list the contents of arbitrary folders via directory traversal attacks.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
JSFTemplating versions prior to 1.2.11Mojarra Scales versions prior to 1.3.2GlassFish version 3 Preview
|
|
|
|
|
|
Solution
|
|
Upgrade to JSFTemplating version 1.2.11 :
http://download.java.net/maven/1/com.sun.jsftemplating/jars/Upgrade
to Mojarra Scales version 1.3.2 :
http://kenai.com/projects/scales/downloads/directory/Mojarra%20Scales%201.3.2/Install
GlassFish version 2.
|
|
|
|
|
|
CVE
|
|
|
|
|
|
|
|
References
|
|
https://www.sec-consult.com/files/20090901_jsftemplating_filedisclosure.txt
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
