ABSTRACT

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.

EXPLANATION

In Spring Webflow, a view resolver is used to translate a view name into an actual rendering technology. Typically a view resolver will limit the type and location of the files using prefixes and suffixes. However, using request parameters specify the view name allows this mechanism to be circumvented.
Example 1: The following Spring Webflow configurations uses request parameters to specify the view name.


<webflow:end-state id="finalStep" view="${requestParameters.url}"/>
<webflow:view-state id="showView" view="${requestParameters.test}">

The default Spring Webflow view resolver is intended to only allow jsp files in "/WEB-INF/views/" to be resolved.


<bean class="org.springframework.web.servlet.view.
InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>


An attacker could use the following URL to view the applicationContext.xml file: "http://www.yourcorp.com/webApp/logic?url=../applicationContext.xml;x="
The InternalResourceViewResolver will take the prefix it is configured with then concatenate the value passed in the view attribute and finally add the suffix.
The resulting relative URL, "/WEB-INF/views/../applicationContext.xml;x=.jsp" is passed to the server-side request dispatcher. The semicolon allows the attacker to convert the ".jsp" suffix into a path parameter. This attack can be used to disclose any file under the web app root.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 552

[5] Seth Ladd Expert Spring MVC and Web Flow

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8

[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 073

[10] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC