• Post Reply Bookmark Topic Watch Topic
  • New Topic

JBoss 4.2.1.GA Application Server Directory Traversal Vulnerability  RSS feed

 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I have an issue in my application. Attacker can manipulate the paths associated with files used by the application. it could print the contents of arbitrary files on the system.

Any help how can I get rid of this issue?

I am using JBoss 4.2.1.GA

Thanks,
Vivek
 
K. Tsang
Bartender
Posts: 3639
16
Firefox Browser Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First off is this a program bug? If so fix it accordingly.

If not, have you checked with JBoss for patches that deals with your vulnerability?
 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for the replay.

I found out that,  in some page, we are using a following code

String url= dynamic value(In this case: WEB-INF/web.xml)

<jsp:include page='<%=url %>' flush="true"></jsp:include><br>

so when the url pointing to web.xml, it is displaying its content.
 
Rob Spoor
Sheriff
Posts: 20943
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So you should validate the URL, and make sure it only contains paths to files you want to allow. Never trust any user input. If an incorrect file is requested you could return a 403 (Forbidden) or a 404 (Not Found). Just make sure to always return the same code and not a 403 for files that exist and a 404 for files that don't exist, because that would leak out information about the presence of files.
 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks,  What would be the right way to validate the url that we are including in the jsp include.

In the below example, We can write code such that If url contains web.xml, dont include the file.
String url= dynamic value(In this case: WEB-INF/web.xml)
<jsp:include page='<%=url %>' flush="true"></jsp:include><br>

Can we handle it in a better way??



 
Rob Spoor
Sheriff
Posts: 20943
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Instead of blacklisting (disallowing certain URLs such as WEB-INF/web.xml), I'd go for whitelisting instead - only allow those URLs that you actually want to include. This should be part of the code that determines the dynamic URL.
 
vivek shankare gowda
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for the suggestion. But, I do have many urls to include dynamically  and I am avoiding url for web.xml alone. So how can i whitelist in this case.
 
Rob Spoor
Sheriff
Posts: 20943
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You say you're excluding web.xml only, but what about class files, tag files, etc? Everything inside WEB-INF should be shielded. Also, everything outside of your application should be shielded. So if you can make sure the whitelisting only contains resources within your application (e.g. disallow any form of .. to disallow going up one directory, make any absolute path relative to your application) and does not refer to anything in WEB-INF, then it should be safe to include these (as these resources are already public).
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!