File Disclosure == Intellectual Property Exfiltration

As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml, Manifest.mf, db.properties, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability.  This got me thinking about other files/folders under WEB-INF.

 

With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders).    I hope you see where I am going with this…

 

Upon my first test (with GlassFish application server), things did not go well.  All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed.  I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.

 

Sure enough, when I tested it out on Tomcat 6.x it worked.

 

Just for review: a File Disclosure vulnerability looks like:

 

//Spring MVC and Groovy on Grails

return new ModelAndView( untrustedPathSegmentVar, …);

 

//Struts 1

return new ActionForward (untrustedPathVar, …);

 

//In Struts 2 struts.xml file where url is an Action attribute

<result name="success">${url}</result>

 

//In Struts 2 Action class annotation where url is an Action attribute

@Result(location="${url}")

 

//Ruby on Rails

render params[“forwardPath”]

 

//.NET MVC

return View(untrustedPathVar);

 

//Zend PHP

this -> _forward($untrustedPathVar, …);

 

//J2EE

<jsp:include path=”untrustedPathVar” />

<jsp:forward page="${param.forward}"/>

 

RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);

rd.forward()

 

Here is what it looks like when an attacker can remotely download your application’s binaries.

 

//forward.jsp

<%@page contentType="text/html"%>

<%@page pageEncoding="UTF-8"%>

 

<jsp:forward page="${param.forward}"/>

 

Given a file path as pictured:

 

 

Sample File Path

 

 

You can remotely download jar files using the following URL:

 

http://localhost:8080/examples/forward.jsp?forward=/WEB-INF/lib/jstl.jar

 

Downloading a Jar

 

 

You can even download class files:

 

http://localhost:8080/examples/forward.jsp?forward=/WEB-INF/classes/CookieExample.class

 

 

Downloading a Class File.png

 

It is true that you are not getting the source, but it is trivially easy to decompile *.class files.  You can also glean information about the available *.jar files from the META-INF directory files.  Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.

 

So if you see this vulnerability, don’t take it too lightly.

 

Comments
Home Security Alarm (anon) | ‎09-24-2012 10:53 PM

Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part :) I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.

Home Monitoring(anon) | ‎12-19-2012 09:55 PM

Superb post.
I was looking at regularly this blogs and I’m satisfied! Very valuable info specially the remaining part :-) I care for such information much.
I was looking for this unique info for a long time.
Thanks and best of luck.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.