#28 Security issue: WEB-INF directory can be exposed
Hi Folks,
a colleague of mine (Patrick Schönenberg from Zendas www.zendas.de) pointed out a possible security risk in dbforms 2.5: If you create a local web page with a modified form, files like WEB-INF/dbforms-config.xml can be exposed to any client without authentication. This is how you do it:
Create a local file test_dbform.htm with a form tag:
<form name="dbform" action="http://<<your-webapp>>/servlet/control" method="post">
and a button <input type="hidden" name="fu_<<FORM-ID>>" value="/WEB-INF/dbforms-config.xml"/>
and a submit button will display the dbforms-config file- without authentication! Since this file (or others) in the WEB-INF directory contain sensitive information like connection passwords, this is a serious issue.
I have corrected this behaviour with the attached webevent-class, but this only works in my installation. A more general solution would be feasible. Maybe this is already corrected in dbforms 2.6.
Thank you for your attention, and please keep developing this great product!
Daniel Quathamer
Java source where access to WEB-INF and META-INF is denied.