Getting directory listing issue with URL /VAADIN/* using Vaadin 8, JBoss EAP 7.0, Firefox browser
Question
Problem statement :
Application built using Vaadin 8 deployed on Jboss EAP 7.0 has directory listing issue of all resources within /VAADIN/* eg /VAADIN/themes/mytheme/images
Validation :
Upon validating other directories, say myapp/images or my/js this issue is not occurring which means default directory listing is off with Jboss configuration and is working perfectly. Issue only with Firefox
Approach:
I could partially fix by having the authentication filter configured for /VAADIN/* URL, but anyways post authentication the directory listing is still happening. Until that fix the listing was happening without authentication
Please suggest a fix the vulnerability
1 answers
solution1
1 2021-06-14 14:10:20
Thank you for the report, we had already noticed some related issues for Vaadin Flow but the tickets or related changes haven't got backported to Vaadin 8 yet. I'll look into it.
The directory listing shouldn't be shown, although the lack of it mainly provides security by obscurity. The files that are served to the client will be accessible through the client regardless. It's best not to include any sensitive data among them.
Edit: Backported fixes should now be available in 8.14-SNAPSHOT and 8.13.2.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.