ABSTRACT

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.

EXPLANATION

A file disclosure occur when:
1. Data enters a program from an untrusted source.


2. The data is used to dynamically construct a path.



Example 1: The following code takes untrusted data and uses it to build a path which is used in a server side forward.


...
String returnURL = request.getParameter("returnURL");
return new ActionForward(returnURL);
...


If an attacker provided a URL with the request parameter matching a sensitive file location, they would be able to view that file. For example, "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" would allow them to view the applicationContext.xml of the application.
Once the attacker had the applicationContext.xml, they could locate and download other configuration files referenced in the applicationContext.xml or even class or jar files. This would allow attackers to gain sensitive infomation about an application and target it for other types of attack.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 552

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8

[8] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 073

[9] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC