• Post Reply Bookmark Topic Watch Topic
  • New Topic

Path traversal vulnerability  RSS feed

 
Nilesh Pat
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need to restrict one attack on my server.

Attack Used: Submit=Download&all=/WEB-INF/web.xml

if someone append following string to my action URL it opens the file from the system.


For eg.
http://localhost:7001/tp/web/exampleAction.action?Submit=Download&all=/WEB-INF/web.xml

This will load web.xml in the browser.
Same with .jar or other files in webroot folder.

Many of my forms are sending data via GET so can't restrict out this all at once. Any idea?

Thanks in advance.
 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One very simple (may be not elegant) way is to place a check on "all" parameter value. if value contains WEB-INF , simply show error page to user.

basically any file within WEB-INF considered to be secured. On the first place, why we want to download file which is present in WEB-INF folder ?

~ abhay
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What does your exampleAction servlet do?
 
Nilesh Pat
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Abhay/Bear,
Thanks for your replay.

Abhay, it's a good solution you gave, by putting filter on WEB-INF value it will work for WEB-INF folder. But basically the whole 'webroot' folder comes under attack.
And is it not we want to download a file present in WEB-INF folder. It is like an hacker or attacker can access the file if we won't put the filter or validation on request.

Bear, exampleAction is just an struct action. it's just an example. there are many actions for login, registration, report generation etc.
 
E Armitage
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nilesh Pat wrote:
Bear, exampleAction is just an struct action. it's just an example. there are many actions for login, registration, report generation etc.

Your struts actions should not be displaying files inside your webapplication. If you want to serve files from your web application then run a file servlet: http://balusc.blogspot.com/2009/02/fileservlet-supporting-resume-and.html
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The point is, unless your Struts action does something to send those files to the response, just putting those parameters into a request will do nothing. Why do you think that they will?
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!