



We recently were informed of a security vulnerability in the resources

plugin that ships with all Grails versions since 2.0.x.



If you application is not using the resources plugin you can safely

ignore this disclosure.



This vulnerability has been rectified in Grails 2.3.6 by explicitly

checking the default configuration for the resources plugin, but

earlier versions of Grails require the addition of the following code

to Config.groovy:



grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**',

'/plugins/**']

grails.resources.adhoc.excludes = ['/WEB-INF/**']



The vulnerability is serious as an attacker could potentially download

your entire codebase so we recommend immediate action.



For further information and recommended solutions please read the

security disclosure:



http://cxsecurity.com/issue/WLB-2014020172?utm_source=twitterfeed&utm_medium=twitter&utm_content=bugtraq,+wlb,+cxsecurity



Thanks for your attention.



--

Graeme Rocher

Grails Project Lead

SpringSource



---------------------------------------------------------------------

To unsubscribe from this list, please visit:



http://xircles.codehaus.org/manage_email





Hi all,We recently were informed of a security vulnerability in the resourcesplugin that ships with all Grails versions since 2.0.x.If you application is not using the resources plugin you can safelyignore this disclosure.This vulnerability has been rectified in Grails 2.3.6 by explicitlychecking the default configuration for the resources plugin, butearlier versions of Grails require the addition of the following codeto Config.groovy:grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**','/plugins/**']grails.resources.adhoc.excludes = ['/WEB-INF/**']The vulnerability is serious as an attacker could potentially downloadyour entire codebase so we recommend immediate action.For further information and recommended solutions please read thesecurity disclosure:Thanks for your attention.--Graeme RocherGrails Project LeadSpringSource---------------------------------------------------------------------To unsubscribe from this list, please visit: