As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml, Manifest.mf, db.properties, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability. This got me thinking about other files/folders under WEB-INF.
With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders). I hope you see where I am going with this…
Upon my first test (with GlassFish application server), things did not go well. All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed. I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.
Sure enough, when I tested it out on Tomcat 6.x it worked.
Just for review: a File Disclosure vulnerability looks like:
//Spring MVC and Groovy on Grails
return new ModelAndView( untrustedPathSegmentVar, …);
return new ActionForward (untrustedPathVar, …);
//In Struts 2 struts.xml file where url is an Action attribute
//In Struts 2 Action class annotation where url is an Action attribute
//Ruby on Rails
this -> _forward($untrustedPathVar, …);
<jsp:include path=”untrustedPathVar” />
RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);
Here is what it looks like when an attacker can remotely download your application’s binaries.
Given a file path as pictured:
You can remotely download jar files using the following URL:
You can even download class files:
It is true that you are not getting the source, but it is trivially easy to decompile *.class files. You can also glean information about the available *.jar files from the META-INF directory files. Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.
So if you see this vulnerability, don’t take it too lightly.