How do I prevent access to WEB-INF via HTTP GET in WildFly 10?

sjeaves2 Nov 29, 2018 12:43 PM

I'm tasked to close some security holes in our web-based application (powered by Java servlets). Using an in-house tool that allows us to submit "raw" HTTP requests (like you can with Telnet), we've discovered that, while POST requests forbid access, GET requests honor a request with a relative pathname like so:

http://myhost.com:8080/ServletName/..\WEB-INF\web.xml

From what I've read, access to the WEB-INF directory is restricted, but as I've said, when I do a GET on WildFly 10 (standalone) with a "raw" HTTP request tool, the request is honored.

1. Re: How do I prevent access to WEB-INF via HTTP GET in WildFly 10?

jaikiran Nov 30, 2018 9:09 AM (in response to sjeaves2)

That's clearly a bug. Having said that, I remember such issues have been fixed in newer releases of WildFly. Have you tried upgrading to latest released WildFly (14 currently) and see if it's still reproducible?
1 of 1 people found this helpful
Actions
2. Re: How do I prevent access to WEB-INF via HTTP GET in WildFly 10?

msystems Nov 30, 2018 9:18 AM (in response to jaikiran)

I'm using WildFly 14.0.1 and it's not possible to access the WEB-INF with a GET request with a relative pathname like http://myhost.com:8080/ServletName/..\WEB-INF\web.xml - you will get an '404 - Not Found'.
1 of 1 people found this helpful
Actions
3. Re: How do I prevent access to WEB-INF via HTTP GET in WildFly 10?

sjeaves2 Nov 30, 2018 9:25 AM (in response to jaikiran)

I will try an upgrade and see how that works.
Actions
4. Re: How do I prevent access to WEB-INF via HTTP GET in WildFly 10?

sjeaves2 Nov 30, 2018 11:34 AM (in response to msystems)

Thanks for the confirmation. I'm not sure that we are able to move to a higher version here yet, but it is good to know that this is a bug in WildFly and not in our code.
Actions

Go to original post