Advisories for Maven/Io.vertx/Vertx-Web package

In the StaticHandlerImpl#sendDirectoryListing(…) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping. As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS. Affected Code: File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java Lines: 709–713: normalizedDir is constructed without escaping 714–731: <li><a …> elements insert file names …

There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHidden(false) is configured. In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases: Files under hidden directories: For example, /.secret/config.txt — although .secret is a hidden directory, the …

Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: return "/" + rest; …

In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory.

Vert.x-Web framework does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by …

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.

In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.