Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.
In Spring Webflow, a view resolver is used to translate a view name into an actual rendering technology. Typically a view resolver will limit the type and location of the files using prefixes and suffixes. However, using request parameters specify the view name allows this mechanism to be circumvented.
Example 1: The following Spring Webflow configurations uses request parameters to specify the view name.
<webflow:end-state id="finalStep" view="${requestParameters.url}"/>
<webflow:view-state id="showView" view="${requestParameters.test}">
<bean class="org.springframework.web.servlet.view.
InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
InternalResourceViewResolver
will take the prefix it is configured with then concatenate the value passed in the view attribute and finally add the suffix.[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 552
[5] Seth Ladd Expert Spring MVC and Web Flow
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 073
[10] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC