Folks!
As described here
http://www.milw0
rm.com/exploits/4567
there is a security bug in the current Slide release. Using
the LOCK
methode it is possible to display content from your local
file system.
This works by passing over literate XML that contains
entities that
refer to your local file system.
AFAIK this can not be prevented by the XML implementation
Slide uses (JDOM).
A quick fix would be to disable the LOCK method in the
web.xml by
commenting it out or removing it.
I have also committed a patched LockMethod.java that does
not return
literate XML at all. This may cause trouble with the owner
filed that
some clients require, but it is the best I can do for now.
It is checked in in the Slide 2.1 release branch and in the
HEAD
branch. For existing Slide 2.1 installations it would
suffice to check
out, compile and replace the LockMethod class. You can do so
by
copying it in the the WEB-INF/class folder including all
package
directories.
If you grant outside access to your Slide WebDAVServer be
sure to take
care of this bug.
Cheers
Oliver
------------------------------------------------------------
---------
To unsubscribe, e-mail: slide-user-unsubscribe jakarta.apache.org
For additional commands, e-mail: slide-user-helpjakarta.apache.org
|