• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JBoss 4.2.1.GA Application Server Directory Traversal Vulnerability

 
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I have an issue in my application. Attacker can manipulate the paths associated with files used by the application. it could print the contents of arbitrary files on the system.

Any help how can I get rid of this issue?

I am using JBoss 4.2.1.GA

Thanks,
Vivek
 
Bartender
Posts: 3648
16
Android Mac OS X Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First off is this a program bug? If so fix it accordingly.

If not, have you checked with JBoss for patches that deals with your vulnerability?
 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for the replay.

I found out that,  in some page, we are using a following code

String url= dynamic value(In this case: WEB-INF/web.xml)

<jsp:include page='<%=url %>' flush="true"></jsp:include><br>

so when the url pointing to web.xml, it is displaying its content.
 
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So you should validate the URL, and make sure it only contains paths to files you want to allow. Never trust any user input. If an incorrect file is requested you could return a 403 (Forbidden) or a 404 (Not Found). Just make sure to always return the same code and not a 403 for files that exist and a 404 for files that don't exist, because that would leak out information about the presence of files.
 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks,  What would be the right way to validate the url that we are including in the jsp include.

In the below example, We can write code such that If url contains web.xml, dont include the file.
String url= dynamic value(In this case: WEB-INF/web.xml)
<jsp:include page='<%=url %>' flush="true"></jsp:include><br>

Can we handle it in a better way??



 
Rob Spoor
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Instead of blacklisting (disallowing certain URLs such as WEB-INF/web.xml), I'd go for whitelisting instead - only allow those URLs that you actually want to include. This should be part of the code that determines the dynamic URL.
 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for the suggestion. But, I do have many urls to include dynamically  and I am avoiding url for web.xml alone. So how can i whitelist in this case.
 
Rob Spoor
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You say you're excluding web.xml only, but what about class files, tag files, etc? Everything inside WEB-INF should be shielded. Also, everything outside of your application should be shielded. So if you can make sure the whitelisting only contains resources within your application (e.g. disallow any form of .. to disallow going up one directory, make any absolute path relative to your application) and does not refer to anything in WEB-INF, then it should be safe to include these (as these resources are already public).
 
A feeble attempt to tell you about our stuff that makes us money
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic