On 03/30/09 05:00 PM, glassfish_at_javadesktop.org wrote:
> Hi,
>
> I'm using Glassfish as my app server (and using Icefaces in my app) and noticed the other day when attempting to access a URL with xmlhttp at the end, the full installation path of my glassfish server is displayed to the user.
>
> For example:
>
> http://component-showcase.icefaces.org/component-showcase/xmlhttp
>
> Will display the full path to the app server to any user. In itself it doesn't seem a big deal, but the error message should not show full paths for security reasons and its inconsistent with other 404 type errors (I have a custom page to handle 404's but its not being displayed when accessing this URL).
>
> I know the icefaces page show JBoss as their app server, but it also occurs in glassfish, but I'm not sure where the problem lies?
>
It most likely does not originate from the web container: We've made
sure that whenever the web container
creates a 404 response, it does *not* include the name or path of the
resource that was not found. Exposing the
name or path of the missing resource can create all kinds of problems,
and has been exploited for XSS attacks
in the past.
Jan
> [Message sent by forum member 'michaellshea' (michaellshea)]
>
> http://forums.java.net/jive/thread.jspa?messageID=339744
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>