CVE-2014-0053 Information Disclosure when using Grails

[Pivotal Security Team <security () gopivotal com>]

CVE-2014-0053 Information Disclosure in Grails applications

Severity: Important

Vendor: Grails by Pivotal

Versions Affected:
- Grails 2.0.0 to 2.3.5

Description:
The Grails resources plug-in, a default dependency of Grails since
2.0.0, does not block access to resources located under /WEB-INF by
default. This means that both configuration files and class files
are publicly accessible when they should be private.

Mitigation:
Users of affected versions should apply one of the following
mitigations:
- Upgrade to Grails 2.3.6 and redeploy the application
- Configure the resources plugin to block access to /WEB-INF
- Prevent access to /WEB-INF in the reverse proxy (if one is used)

Possible configuration options to block access to /WEB-INF include
adding the following to grails-app/conf/Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']

Credit:
This issue was identified by @Ramsharan065 but was reported publicly
to the Grails team via Twitter. Pivotal strongly encourages responsible
reporting of security vulnerabilities via security () gopivotal com

References:
https://twitter.com/Ramsharan065/status/434975409134792704
https://github.com/grails/grails-core/commit/2d5d2a8b3e40111412051dbbeb32eae005fdcf35
http://www.gopivotal.com/security/cve-2014-0054 (may take up to 24 hours to go live)

History:
2014-Feb-16: Issue made public
2014-Feb-19: Initial vulnerability report published

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/