Spark 2.5 Arbitrary File Read

`Hey folks,  
  
  
Spark (sparkjava.com) is a mildly hyped Java micro web framework that  
also provides functionality to serve static files. Unfortunately,  
there's no protection against directory traversal attacks and I haven't  
been able to contact anyone related to the project (after trying 4  
people over 2 weeks). As this bug is not that awesome, and fairly  
trivial to find, please help yourself to some semi-shitty 0-day.   
  
If configured, Spark provides two ways to serve static files, either  
from the classpath via Spark.staticFileLocation() or the filesystem via  
Spark.externalStaticFileLocation().  
  
  
-----------------------------------  
  
Classpath Vuln  
  
-----------------------------------  
  
Exploit the classpath based vulnerability with something like:  
  
curl "http://<host>/..\..\spark\Spark.class"  
  
The number of ..\ you need in the path depends on where in the classpath  
the static file location is configured to be. If you don't have the  
right amount then you don't get anything, but this is trivially brute  
forced. The classpath often has juicy things like configuration files  
and keystores, or you could look for non-framework class files and  
decompile them.  
  
  
-----------------------------------  
  
Filesystem Vuln  
  
-----------------------------------  
  
Try something like:  
  
curl  
"http://<host>/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd"  
  
  
I'm sure you can figure out what to do from here.  
  
  
  
This is tested on Spark 2.5 and git master, it should work on earlier  
versions.  
  
If you need a workaround, don't use Spark to serve static files and move  
them to another web server.  
  
  
Cheers,  
aj  
  
  
`