IMPORTANT: CVE-2014-0053 Information Disclosure in Grails applications

Hi all,

We recently were informed of a security vulnerability in the resources
plugin that ships with all Grails versions since 2.0.x.

If you application is not using the resources plugin you can safely
ignore this disclosure.

This vulnerability has been rectified in Grails 2.3.6 by explicitly
checking the default configuration for the resources plugin, but
earlier versions of Grails require the addition of the following code
to Config.groovy:

grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**',
'/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']

The vulnerability is serious as an attacker could potentially download
your entire codebase so we recommend immediate action.

For further information and recommended solutions please read the
security disclosure:

http://cxsecurity.com/issue/WLB-2014020172?utm_source=twitterfeed&utm_medium=twitter&utm_content=bugtraq,+wlb,+cxsecurity

Thanks for your attention.

--
Graeme Rocher
Grails Project Lead
SpringSource

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

we are running Grails 2.1.1 and our site is now live in production.

with regards to 'CVE-2014-0053' , we are unable to understand what resources (within WEB-INF) can be accessed due to this vulnerability.

can you please give us some sample urls using which WEB-INF contents stay exposed due to this vulnerability?

this way we can verify the suggested fix on our site (before and after).

Let me know if you need more info to help us.

Thanks

- Ram Gopal