Getting directory listing issue with URL /VAADIN/* using Vaadin 8, JBoss EAP 7.0, Firefox browser

1
votes

Problem statement:
Application built using Vaadin 8 deployed on Jboss EAP 7.0 has directory listing issue of all resources within /VAADIN/* e.g /VAADIN/themes/mytheme/images

Validation:
Upon validating other directories, say myapp/images or my/js this issue is not occurring which means default directory listing is off with Jboss configuration and is working perfectly. Issue only with Firefox

Approach:
I could partially fix by having the authentication filter configured for /VAADIN/* URL, but anyways post authentication the directory listing is still happening. Until that fix the listing was happening without authentication

Please suggest a fix the vulnerability

1
securityvaadinvaadin8jboss-eap-7directory-listing

1 Answers

1
votes

Thank you for the report, we had already noticed some related issues for Vaadin Flow but the tickets or related changes haven't got backported to Vaadin 8 yet. I'll look into it.

The directory listing shouldn't be shown, although the lack of it mainly provides security by obscurity. The files that are served to the client will be accessible through the client regardless. It's best not to include any sensitive data among them.

Edit: Backported fixes should now be available in 8.14-SNAPSHOT and 8.13.2.