Ext JS arbitrary file read

Description
  • Ext JS is a pure JavaScript application framework for building interactive web applications using techniques such as Ajax, DHTML and DOM scripting. Baidu Security Team found a vulnerability in the examples provided with Ext JS that allows an attacker to initiate arbitrary HTTP requests and (in some conditions) read arbitrary files from the server.
Remediation
  • Restrict access to the examples directory provided with Ext JS.
References