10.14 Do not allow cross context requests

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Setting crossContext to true allows for an application to call ServletConext.getContext to return a dispatcher for another application.

Rationale:

Allowing crossContext creates the possibility for a malicious application to make requests to a restricted application.

Solution

Set the crossContext attribute in all context.xml files to false:

<Context ... crossContext='false' />

Default Value:

By default crossContext has a value of false.

See Also

https://workbench.cisecurity.org/files/3090