grails 2.xをお使いの方は確認した方がよいです。
----------転送メッセージ----------
From:
Graeme Rocher <
graeme...@gmail.com>
日付: 2014年2月20日木曜日
件名: [grails-user] IMPORTANT: CVE-2014-0053 Information Disclosure in Grails applications
To: user <
us...@grails.codehaus.org>
Hi all,
We recently were informed of a security vulnerability in the resources
plugin that ships with all Grails versions since 2.0.x.
If you application is not using the resources plugin you can safely
ignore this disclosure.
This vulnerability has been rectified in Grails 2.3.6 by explicitly
checking the default configuration for the resources plugin, but
earlier versions of Grails require the addition of the following code
to Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**',
'/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']
The vulnerability is serious as an attacker could potentially download
your entire codebase so we recommend immediate action.
For further information and recommended solutions please read the
security disclosure:
http://cxsecurity.com/issue/WLB-2014020172?utm_source=twitterfeed&utm_medium=twitter&utm_content=bugtraq,+wlb,+cxsecurity
Thanks for your attention.
--
Graeme Rocher
Grails Project Lead
SpringSource
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email