Wednesday, June 16, 2010

XPages: Bug? View XPage Source code in the browser

Edit: This bug has been confirmed fixed in Domino 8.5.1 FP1.

I just read this in my daily RSS roundup.

Add a + after .xsp in the address field of your browser results in the source code of the current XPage being printed to the browser (click above link for screenshot or try for yourself). It's not sure how I feel about this. In most cases it won't be a security issue, but still..

6 comments:

Paul Hannan said...

Have you install a 851 fix pack lately?
;-)

Anonymous said...

Didn't this used to happen on a server older than 8.5 ?

Unknown said...

@Paul: Do you mean 8.5.1+? :P

I think the server I tested on is running 8.5.1. That means it's fixed? :)

Paul Hannan said...

Yes, the fix for that went into 851 FP1.
And I recall that you only got the source from the XPage and not from any custom controls that might be on it.
There were a couple of other XPages bugs resolved there (and one or two since FP3 is now available) so well worth pulling down the fixpacks when they become available.

p.

Bernd Webster said...

Its a half year ago that 8.5.1 was released. Its similar to a Microsoft Webserver. If the admin miss to install the needed hotfixed he should be kicked ...

Nobody runs a ISS server without the latest patchlevel. But some does it with Domino because in the past there was no such issue ... and now... they complains about small issues :D. And on the other side blows a lot of hacked MS ISS server spam emails in to the internet ... nice world :D

JJTB Somhorst said...

The big problem about this is that it will show which data sources are used by the xpage. So for instance if you have a viewcontrol it would be possible to open this view outside of the xpages if it wasn't hidden from the web. Or what about agents which are called inside the xpage? If they are not called within a javascript object but just in the event handler itself it is easy for a 'hacker' to run that agent himself and completely messing up the application.

This issue is a bigger problem then it might seem at first thought. But luckily it was fixed in FP1...