Security Research
Showing results for 
Search instead for 
Do you mean 

File Disclosure == Intellectual Property Exfiltration

abekang on ‎09-13-2012 08:49 AM

As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml, Manifest.mf, db.properties, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability.  This got me thinking about other files/folders under WEB-INF.

 

With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders).    I hope you see where I am going with this…

 

Upon my first test (with GlassFish application server), things did not go well.  All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed.  I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.

 

Sure enough, when I tested it out on Tomcat 6.x it worked.

 

Just for review: a File Disclosure vulnerability looks like:

 

//Spring MVC and Groovy on Grails

return new ModelAndView( untrustedPathSegmentVar, …);

 

//Struts 1

return new ActionForward (untrustedPathVar, …);

 

//In Struts 2 struts.xml file where url is an Action attribute

<result name="success">${url}</result>

 

//In Struts 2 Action class annotation where url is an Action attribute

@Result(location="${url}")

 

//Ruby on Rails

render params[“forwardPath”]

 

//.NET MVC

return View(untrustedPathVar);

 

//Zend PHP

this -> _forward($untrustedPathVar, …);

 

//J2EE

<jsp:include path=”untrustedPathVar” />

<jsp:forward page="${param.forward}"/>

 

RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);

rd.forward()

 

Here is what it looks like when an attacker can remotely download your application’s binaries.

 

//forward.jsp

<%@page contentType="text/html"%>

<%@page pageEncoding="UTF-8"%>

 

<jsp:forward page="${param.forward}"/>

 

Given a file path as pictured:

 

 

 

 

You can remotely download jar files using the following URL:

 

http://localhost:8080/examples/forward.jsp?forward=/WEB-INF/lib/jstl.jar

 

 

 

You can even download class files:

 

http://localhost:8080/examples/forward.jsp?forward=/WEB-INF/classes/CookieExample.class

 

 

 

It is true that you are not getting the source, but it is trivially easy to decompile *.class files.  You can also glean information about the available *.jar files from the META-INF directory files.  Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.

 

So if you see this vulnerability, don’t take it too lightly.

 

0 Kudos
About the Author

abekang

Comments
Home Security Alarm
on ‎09-24-2012 10:53 PM

Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part :) I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.

Home Monitoring
on ‎12-19-2012 09:55 PM

Superb post.
I was looking at regularly this blogs and I’m satisfied! Very valuable info specially the remaining part :-) I care for such information much.
I was looking for this unique info for a long time.
Thanks and best of luck.

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all