• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Path traversal vulnerability

 
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need to restrict one attack on my server.

Attack Used: Submit=Download&all=/WEB-INF/web.xml

if someone append following string to my action URL it opens the file from the system.


For eg.
http://localhost:7001/tp/web/exampleAction.action?Submit=Download&all=/WEB-INF/web.xml

This will load web.xml in the browser.
Same with .jar or other files in webroot folder.

Many of my forms are sending data via GET so can't restrict out this all at once. Any idea?

Thanks in advance.
 
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One very simple (may be not elegant) way is to place a check on "all" parameter value. if value contains WEB-INF , simply show error page to user.

basically any file within WEB-INF considered to be secured. On the first place, why we want to download file which is present in WEB-INF folder ?

~ abhay
 
Sheriff
Posts: 67265
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What does your exampleAction servlet do?
 
Nilesh Pat
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Abhay/Bear,
Thanks for your replay.

Abhay, it's a good solution you gave, by putting filter on WEB-INF value it will work for WEB-INF folder. But basically the whole 'webroot' folder comes under attack.
And is it not we want to download a file present in WEB-INF folder. It is like an hacker or attacker can access the file if we won't put the filter or validation on request.

Bear, exampleAction is just an struct action. it's just an example. there are many actions for login, registration, report generation etc.
 
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Nilesh Pat wrote:
Bear, exampleAction is just an struct action. it's just an example. there are many actions for login, registration, report generation etc.


Your struts actions should not be displaying files inside your webapplication. If you want to serve files from your web application then run a file servlet: http://balusc.blogspot.com/2009/02/fileservlet-supporting-resume-and.html
 
Bear Bibeault
Sheriff
Posts: 67265
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The point is, unless your Struts action does something to send those files to the response, just putting those parameters into a request will do nothing. Why do you think that they will?
 
Something about .... going for a swim. With this tiny ad ...
how do I do my own kindle-like thing - without amazon
https://coderanch.com/t/711421/engineering/kindle-amazon
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!