I have a Java webapp which is vulnerable to the directory transversal (aka path transversal) attack via URL encoding. After being authenticated:
- if I hit http://localhost:8080/Web/WEB-INF/web.xml, I get a 404 (which is fine)
- if I hit http://localhost:8080/Web/%c0%ae/WEB-INF/web.xml, I can read the file (which is obviously not fine)
As per the Servlet spec., the WEB-INF folder is not supposed to be accessible publicly, but somehow it works in this case.
I’m using Websphere 5.1 with Java 1.4, Spring Security 2.0.5 and Struts 1.3.
From what I read, it seems to be related to the encoding, %c0%ae being ‘.’ (dot) in UTF-8.
I tried the same thing on a different webapp which runs in a different environment (Tomcat 6 with Java 7, Spring Security 3 and Spring MVC) and I wasn’t able to reproduce the problem. This second webapp has a filter to force encode the pages in UTF-8 (org.springframework.web.filter.CharacterEncodingFilter), so I tried the same configuration on the first webapp, but it didn’t do the trick.
Any ideas?
Thanks.
I am going to answer my own question.
So with the limited options I had, what I ended up doing is add in the Spring Security configuration file a security rule such as
It restricts access to WEB-INF to the ‘no-access’ role which is in fact not a role. That prevents access to all users. It is not ideal but will do the trick until there is an upgrade.