A directory traversal vulnerability was discovered in the Xephyrus Java Simple Template Engine.

The Xephyrus Java Simple Template Engine (JST) provides an easy way to merge token values into templates to produce final content. It's primary operating environment is within a web server, however it can also be used in an embedded or stand-alone script environment.

The JST engine allows whole files to be loaded and merged into templates by use of a file-token. It also allows token values to be overridden by the parameters specified in the HTTP request. This combination allows directory traversal of the web server.

If the web server the JST engine is executed within has access to priviledged files such as system configuration and password files, a remote user could gain read access to these files.

JST 0.9 (limited distribution)
JST 1.0 (limited distribution)
JST 1.1 (limited distribution)
JST 2.0 (limited distribution)
JST 2.1 (limited distribution)
JST 3.0 (public distribution)

The file-token processing code in version 3.1 of the JST engine has been adjusted to disallow parent directory access. All file access is thus restricted to the template directory and descendents thereof.

Older versions of the JST engine can be made secure by executing the web server in a chrooted environment.

Updates to the JST Engine are available on the Xephyrus web site at: http://www.xephyrus.com/jst

If you have technical or usage questions or comments about this Xephyrus project, please subscribe to the xephyrus-libs mailing list and discuss them.
xephyrus-libs [ Subscribe] [ Archives]

If you need to contact the author directly, that's Topher. Please send support messages to the mailing list.