Hi all,
We recently were informed of a security vulnerability in the resources
plugin that ships with all Grails versions since 2.0.x.
If you application is not using the resources plugin you can safely
ignore this disclosure.
This vulnerability has been rectified in Grails 2.3.6 by explicitly
checking the default configuration for the resources plugin, but
earlier versions of Grails require the addition of the following code
to Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**',
'/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']
The vulnerability is serious as an attacker could potentially download
your entire codebase so we recommend immediate action.
For further information and recommended solutions please read the
security disclosure:
http://cxsecurity.com/issue/WLB-2014020172?utm_source=twitterfeed&utm_medium=twitter&utm_content=bugtraq,+wlb,+cxsecurityThanks for your attention.
--
Graeme Rocher
Grails Project Lead
SpringSource
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email