Security Research
Showing results for 
Search instead for 
Do you mean 

File Disclosure == Intellectual Property Exfiltration

abekang on ‎09-13-2012 08:49 AM

As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml, Manifest.mf, db.properties, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability.  This got me thinking about other files/folders under WEB-INF.

 

With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders).    I hope you see where I am going with this…

 

Upon my first test (with GlassFish application server), things did not go well.  All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed.  I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.

 

Sure enough, when I tested it out on Tomcat 6.x it worked.

 

Just for review: a File Disclosure vulnerability looks like:

 

//Spring MVC and Groovy on Grails

return new ModelAndView( untrustedPathSegmentVar, …);

 

//Struts 1

return new ActionForward (untrustedPathVar, …);

 

//In Struts 2 struts.xml file where url is an Action attribute

<result name="success">${url}</result>

 

//In Struts 2 Action class annotation where url is an Action attribute

@Result(location="${url}")

 

//Ruby on Rails

render params[“forwardPath”]

 

//.NET MVC

return View(untrustedPathVar);

 

//Zend PHP

this -> _forward($untrustedPathVar, …);

 

//J2EE

<jsp:include path=”untrustedPathVar” />

<jsp:forward page="${param.forward}"/>

 

RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);

rd.forward()

 

Here is what it looks like when an attacker can remotely download your application’s binaries.

 

//forward.jsp

<%@page contentType="text/html"%>

<%@page pageEncoding="UTF-8"%>

 

<jsp:forward page="${param.forward}"/>

 

Given a file path as pictured:

 

 

 

 

You can remotely download jar files using the following URL:

 

http://localhost:8080/examples/forward.jsp?forward=/WEB-INF/lib/jstl.jar

 

 

 

You can even download class files:

 

http://localhost:8080/examples/forward.jsp?forward=/WEB-INF/classes/CookieExample.class

 

 

 

It is true that you are not getting the source, but it is trivially easy to decompile *.class files.  You can also glean information about the available *.jar files from the META-INF directory files.  Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.

 

So if you see this vulnerability, don’t take it too lightly.

 

0 Kudos
About the Author

abekang

Comments
Home Security Alarm
on ‎09-24-2012 10:53 PM

Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part :) I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.

Home Monitoring
on ‎12-19-2012 09:55 PM

Superb post.
I was looking at regularly this blogs and I’m satisfied! Very valuable info specially the remaining part :-) I care for such information much.
I was looking for this unique info for a long time.
Thanks and best of luck.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all