The Java Portlet Specification JSR286 API jar file code could
allow a remote attacker to obtain sensitive information, caused by the
failure to restrict access to resources located within the web application.
An attacker could exploit this vulnerability to obtain configuration data
and other sensitive information.


Problem summary:
A resource ID string can be set on a resource URL. If a resource ID is
present, the default behavior of the GenericPortlet#serveResource method is
to dispatch to the resource identified by the resource ID through a request
dispatcher. The vulnerability can occur if an attacker manipulates the
resource ID field on a resource URL to point to a resource such as a JSP or
servlet that the user would not normally be able to access. Security
constraints can be bypassed in this manner.

Even portlets that do not use resource serving can be vulnerable if the
GenericPortlet#serveResource method is not overridden, since an attacker
could potentially add a resource ID to a resource URL. The resource ID
would be dispatched through the GenericPortlet#serveResource method.

Portlets that override the GenericPortlet#serveResource method and
either do not call the super.serveResource method or call it only after
verifying the resource ID are not vulnerable.