Saturday, September 4, 2010

Play! Framework <= Directory Transversal Vulnerability

Play! Framework is really great! Since I saw the video intro on their site I decided to bring that technology into my company. I strongly recommend checking it out.
That being said, I was thinking: "Well it's a new technology, let me give it a quick spin, security wise..."
Blam! It suffered from a vulnerability that allowed for anyone to read any file the owner of the java process (play! is java) could read.
So I contacted the author and gave him the details. Let me tell you, he was a very cool guy, and one hour later a fix was released.
Yes, you read it right, one hour later... kudos play!, kudos...
I later published it to the Exploit Database for the curious ones.