Add a jsp to cause unintended file disclosure

src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java

@@ -13,8 +13,6 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import sun.util.logging.resources.logging;
-
 /**
  * Servlet Filter for authentication
  */
@@ -40,7 +38,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         HttpServletResponse response = (HttpServletResponse) res;
         String target = request.getRequestURI();
 
-        if (target.startsWith("/admins") || target.equals("/udc/serverinfo.jsp")) {
+        if (target.startsWith("/admins") || target.equals("/uid/serverinfo.jsp")) {
             /* Login (authentication) is needed to access admin pages (under /admins). */
 
             String loginType = request.getParameter("logintype");

src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java

@@ -26,6 +26,8 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser
         bodyHtml.append("<br><br>");
         bodyHtml.append(MessageUtils.getMsg("label.login.user.id", locale) + ": " + userid);
         bodyHtml.append("<br><br>");
+        bodyHtml.append("<a href=\"/uid/serverinfo.jsp\">" + MessageUtils.getMsg("section.server.info", locale) + "</a>");
+        bodyHtml.append("<br><br>");
         bodyHtml.append("<a href=\"/logout\">" + MessageUtils.getMsg("label.logout", locale) + "</a>");
         HTTPResponseCreator.createSimpleResponse(res, MessageUtils.getMsg("title.admins.main.page", locale),
                 bodyHtml.toString());

src/main/resources/indexpage_en.properties

@@ -67,6 +67,8 @@ function.name.brute.force=Brute-force
 function.description.brute.force=This page is vulnerable for brute-force attack because it does not have an account lock mechanism.
 function.name.dangerous.file.inclusion=Dangerous File Inclusion
 function.description.dangerous.file.inclusion=An external dangerous file can be included in this page.
+function.name.unintended.file.disclosure=Unintended File Disclosure
+function.description.unintended.file.disclosure=There is an unintended file disclosure vulnerability in this page.
 
 section.errors=Errors
 description.errors=OutOfMemoryError, StackOverflowError, NoClassDefFoundError, and so on:

src/main/resources/indexpage_ja.properties

@@ -70,6 +70,8 @@ function.name.brute.force=\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9
 function.description.brute.force=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306f\u30a2\u30ab\u30a6\u30f3\u30c8\u30ed\u30c3\u30af\u304c\u7121\u3044\u305f\u3081\u3001\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u5bfe\u3057\u3066\u306e\u8106\u5f31\u3067\u3059\u3002
 function.name.dangerous.file.inclusion=\u5371\u967a\u306a\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9
 function.description.dangerous.file.inclusion=\u3053\u306e\u30da\u30fc\u30b8\u3067\u306f\u5916\u90e8\u306e\u5371\u967a\u306a\u30d5\u30a1\u30a4\u30eb\u3092\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u53ef\u80fd\u3067\u3059\u3002
+function.name.unintended.file.disclosure=\u610f\u56f3\u3057\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u516c\u958b
+function.description.unintended.file.disclosure=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306f\u610f\u56f3\u3057\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u516c\u958b\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002
 
 
 section.errors=\u30a8\u30e9\u30fc

src/main/resources/messages_en.properties

@@ -89,6 +89,9 @@ If you add goto=[an URL of a malicious site] to the query string, you can redire
 msg.note.unrestricted.ext.upload=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 If you upload JSP file (named exit.jsp) including <% System.exit(0); %> and access to http://localhost:8080/uploadFiles/exit.jsp, \
 then JavaVM is forcibly finished.
+msg.note.unintended.file.disclosure=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+If the directory listing feature works and you access to http://localhost:8080/uid/, then you can see the file list in the uid directory. \
+If you login as an acount written in http://localhost:8080/uid/adminpassword.txtm you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.xss=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
@@ -112,7 +115,9 @@ msg.thread.leak.occur=Thread leak occurs every time you load this page.
 msg.valid.json=Valid JSON!
 msg.warn.select.asc.or.desc=Please select "asc" or "desc" and click the Update button.
 msg.warn.enter.name.and.passwd=Please enter your name and password.
+section.client.info=Client Information
 section.design.test=Design Test
+section.server.info=Server Information
 style.name.bootstrap=Bootstrap
 style.description.bootstrap=For more detail, please refer to the page: http://getbootstrap.com/
 style.name.google.mdl=Google Material Design Lite

src/main/resources/messages_ja.properties

@@ -86,6 +86,9 @@ msg.note.slow.regular.expression=<span class="glyphicon glyphicon-info-sign"></s
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\u6587\u5b57\u5217\u306b\u300caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042\u300d\u3092\u5165\u529b\u3059\u308b\u3068...
 msg.note.open.redirect=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 \u30af\u30a8\u30ea\u30b9\u30c8\u30ea\u30f3\u30b0\u306bgoto=[\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eURL]\u3092\u4ed8\u52a0\u3059\u308b\u3068\u3001\u30c1\u30a7\u30c3\u30af\u305b\u305a\u306b\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eURL\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u307e\u3059\u3002
+msg.note.unintended.file.disclosure=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30ea\u30b9\u30c6\u30a3\u30f3\u30b0\u304c\u6a5f\u80fd\u3057\u3066\u3044\u308b\u5834\u5408\u3001http://localhost:8080/uid/\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\u305d\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306e\u30d5\u30a1\u30a4\u30eb\u4e00\u89a7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002\
+\u3055\u3089\u306bhttp://localhost:8080/uid/adminpassword.txt\u306b\u8a18\u8f09\u3055\u308c\u305f\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3068\u3001http://localhost:8080/uid/serverinfo.jsp\u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002
 msg.note.unrestricted.ext.upload=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 <% System.exit(0); %>\u3068\u66f8\u3044\u305fJSP\u30d5\u30a1\u30a4\u30eb(\u30d5\u30a1\u30a4\u30eb\u540d\uff1aexit.jsp)\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u3001http://localhost:8080/uploadFiles/exit.jsp\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\
  JavaVM\u304c\u5f37\u5236\u7d42\u4e86\u3057\u307e\u3059\u3002
@@ -112,7 +115,9 @@ msg.thread.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8fbc\u30
 msg.valid.json=\u6b63\u3057\u3044JSON\u6587\u5b57\u5217\u3067\u3059\u3002
 msg.warn.select.asc.or.desc=\u300c\u6607\u9806\u300d\u307e\u305f\u306f\u300c\u964d\u9806\u300d\u3092\u9078\u629e\u3057\u3066\u3001\u66f4\u65b0\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u4e0b\u3055\u3044\u3002
 msg.warn.enter.name.and.passwd=\u540d\u524d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
+section.client.info=\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u60c5\u5831
 section.design.test=\u30c7\u30b6\u30a4\u30f3\u30c6\u30b9\u30c8
+section.server.info=\u30b5\u30fc\u30d0\u30fc\u60c5\u5831
 style.name.bootstrap=Bootstrap
 style.description.bootstrap=\u8a73\u7d30\u306f\u6b21\u306e\u30da\u30fc\u30b8\u3092\u53c2\u7167\u4e0b\u3055\u3044: http://getbootstrap.com/
 style.name.google.mdl=Google Material Design Lite

src/main/webapp/index.jsp

@@ -164,6 +164,11 @@
 						key="function.name.dangerous.file.inclusion" /></a>:
 			<fmt:message key="function.description.dangerous.file.inclusion" />
 		</p></li>
+		<li><p>
+			<a href="/uid/clientinfo.jsp" target="_blank"><fmt:message
+						key="function.name.unintended.file.disclosure" /></a>:
+			<fmt:message key="function.description.unintended.file.disclosure" />
+		</p></li>
 	</ul>
 
 	<h2>

src/main/webapp/uid/clientinfo.jsp

@@ -0,0 +1,29 @@
+<%@ page pageEncoding="UTF-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<c:set var="language"
+	value="${not empty param.language ? param.language : not empty language ? language : pageContext.request.locale}"
+	scope="session" />
+<fmt:setLocale value="${language}" />
+<fmt:setBundle basename="messages" />
+<!DOCTYPE HTML>
+<html>
+<head>
+<title><fmt:message key="section.client.info" /></title>
+<c:import url="/dfi/style_bootstrap.html" /> 
+</head>
+<body style="margin:20px;">
+	<h2>
+		<span class="glyphicon glyphicon-knight"></span>&nbsp;
+		<fmt:message key="section.client.info" />
+	</h2>
+    <hr/>
+	<ul>
+		<li><p>User-Agent: <%=request.getHeader("user-agent")%></p></li>
+		<li><p>Accept-Language: <%=request.getHeader("Accept-Language")%></p></li>
+	</ul>
+	<hr/>
+	<p><fmt:message key="msg.note.unintended.file.disclosure" /></p>
+</body>
+</html>

src/main/webapp/udc/serverinfo.jsp → src/main/webapp/uid/serverinfo.jsp

@@ -11,11 +11,15 @@
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
 <html>
 <head>
-<title>EasyBuggy</title>
+<title><fmt:message key="section.server.info" /></title>
 <c:import url="/dfi/style_bootstrap.html" /> 
 </head>
 <body style="margin:20px;">
- <a href="/logout"><fmt:message key="label.logout" /></a><hr/>
+	<h2>
+		<span class="glyphicon glyphicon-knight"></span>&nbsp;
+		<fmt:message key="section.server.info" />
+	</h2>
+    <a href="/logout"><fmt:message key="label.logout" /></a><hr/>
 <% request.setAttribute("systemProperties", java.lang.System.getProperties()); %>
  <table width="760">
   <tr>