Unvalidated access to CSS and JS resources

Issue date: 28-04-2017
Affects versions: 11.1, 10.2, 7.9

Security Issue ID

SECURITY-26

Affected Product Version(s)

This vulnerability applies to CMS 7.9.16, CMS 10.2.4, CMS 11.1.1 and earlier versions

Severity

Normal

Description

An unauthenticated user can directly access packaged resources and download them without being redirected to the login screen. For more information, see the behavior of Wicket's SecurePackageResourceGuard class.
This could lead to information disclosure and makes it easier for an attacker to identify other potential vulnerabilities in the application. Resources needed for the login page can be excluded from this authentication requirement by configuring a whitelist available in the console.

Instructions

Hippo has implemented a fix for this vulnerability across all supported versions and has provided new maintenance releases to be able to upgrade and close this vulnerability in your implementation of Hippo.

The solution to this vulnerability requires no changes to the Hippo based projects themselves if no customizations have been made of the CMS login page. Upgrading to the latest Hippo maintenance release CMS 11.1.2, CMS 10.2.5 or CMS 7.9.17 fixes this security issue. When the project does have customizations of the login page please have a look at Configure the CMS Package Resources Whitelist.
Note that the latest CMS 11.2 minor release already incorporated this fix and therefore doesn't require upgrading.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Unvalidated access to CSS and JS resources