From bbb30f997d26ec6da3deae69464ab1bcf3c2d2ce Mon Sep 17 00:00:00 2001 From: k-tamura Date: Wed, 15 Mar 2017 00:31:33 +0900 Subject: [PATCH] Add a jsp to cause unintended file disclosure --- .../core/filters/AuthenticationFilter.java | 4 +-- .../core/servlets/AdminsMainServlet.java | 2 ++ src/main/resources/indexpage_en.properties | 2 ++ src/main/resources/indexpage_ja.properties | 2 ++ src/main/resources/messages_en.properties | 5 ++++ src/main/resources/messages_ja.properties | 5 ++++ src/main/webapp/index.jsp | 5 ++++ src/main/webapp/udc/clientinfo.jsp | 14 --------- .../webapp/{udc => uid}/adminpassword.txt | 0 src/main/webapp/uid/clientinfo.jsp | 29 +++++++++++++++++++ src/main/webapp/{udc => uid}/serverinfo.jsp | 8 +++-- 11 files changed, 57 insertions(+), 19 deletions(-) delete mode 100644 src/main/webapp/udc/clientinfo.jsp rename src/main/webapp/{udc => uid}/adminpassword.txt (100%) create mode 100644 src/main/webapp/uid/clientinfo.jsp rename src/main/webapp/{udc => uid}/serverinfo.jsp (78%) diff --git a/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java b/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java index c9b9b41f..51c36ea3 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java +++ b/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java @@ -13,8 +13,6 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import sun.util.logging.resources.logging; - /** * Servlet Filter for authentication */ @@ -40,7 +38,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) HttpServletResponse response = (HttpServletResponse) res; String target = request.getRequestURI(); - if (target.startsWith("/admins") || target.equals("/udc/serverinfo.jsp")) { + if (target.startsWith("/admins") || target.equals("/uid/serverinfo.jsp")) { /* Login (authentication) is needed to access admin pages (under /admins). */ String loginType = request.getParameter("logintype"); diff --git a/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java b/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java index 397e00ad..18cece9b 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java @@ -26,6 +26,8 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser bodyHtml.append("

"); bodyHtml.append(MessageUtils.getMsg("label.login.user.id", locale) + ": " + userid); bodyHtml.append("

"); + bodyHtml.append("" + MessageUtils.getMsg("section.server.info", locale) + ""); + bodyHtml.append("

"); bodyHtml.append("" + MessageUtils.getMsg("label.logout", locale) + ""); HTTPResponseCreator.createSimpleResponse(res, MessageUtils.getMsg("title.admins.main.page", locale), bodyHtml.toString()); diff --git a/src/main/resources/indexpage_en.properties b/src/main/resources/indexpage_en.properties index e2900cf6..ead43386 100644 --- a/src/main/resources/indexpage_en.properties +++ b/src/main/resources/indexpage_en.properties @@ -67,6 +67,8 @@ function.name.brute.force=Brute-force function.description.brute.force=This page is vulnerable for brute-force attack because it does not have an account lock mechanism. function.name.dangerous.file.inclusion=Dangerous File Inclusion function.description.dangerous.file.inclusion=An external dangerous file can be included in this page. +function.name.unintended.file.disclosure=Unintended File Disclosure +function.description.unintended.file.disclosure=There is an unintended file disclosure vulnerability in this page. section.errors=Errors description.errors=OutOfMemoryError, StackOverflowError, NoClassDefFoundError, and so on: diff --git a/src/main/resources/indexpage_ja.properties b/src/main/resources/indexpage_ja.properties index 7e0cfac0..6c6574f9 100644 --- a/src/main/resources/indexpage_ja.properties +++ b/src/main/resources/indexpage_ja.properties @@ -70,6 +70,8 @@ function.name.brute.force=\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9 function.description.brute.force=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306f\u30a2\u30ab\u30a6\u30f3\u30c8\u30ed\u30c3\u30af\u304c\u7121\u3044\u305f\u3081\u3001\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u5bfe\u3057\u3066\u306e\u8106\u5f31\u3067\u3059\u3002 function.name.dangerous.file.inclusion=\u5371\u967a\u306a\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9 function.description.dangerous.file.inclusion=\u3053\u306e\u30da\u30fc\u30b8\u3067\u306f\u5916\u90e8\u306e\u5371\u967a\u306a\u30d5\u30a1\u30a4\u30eb\u3092\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u53ef\u80fd\u3067\u3059\u3002 +function.name.unintended.file.disclosure=\u610f\u56f3\u3057\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u516c\u958b +function.description.unintended.file.disclosure=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306f\u610f\u56f3\u3057\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u516c\u958b\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002 section.errors=\u30a8\u30e9\u30fc diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties index b7c2518d..9bdf49ee 100644 --- a/src/main/resources/messages_en.properties +++ b/src/main/resources/messages_en.properties @@ -89,6 +89,9 @@ If you add goto=[an URL of a malicious site] to the query string, you can redire msg.note.unrestricted.ext.upload=  \ If you upload JSP file (named exit.jsp) including <% System.exit(0); %> and access to http://localhost:8080/uploadFiles/exit.jsp, \ then JavaVM is forcibly finished. +msg.note.unintended.file.disclosure=  \ +If the directory listing feature works and you access to http://localhost:8080/uid/, then you can see the file list in the uid directory. \ +If you login as an acount written in http://localhost:8080/uid/adminpassword.txtm you can access to /uid/serverinfo.jsp. msg.note.unrestricted.size.upload=  \ This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size. msg.note.xss=  \ @@ -112,7 +115,9 @@ msg.thread.leak.occur=Thread leak occurs every time you load this page. msg.valid.json=Valid JSON! msg.warn.select.asc.or.desc=Please select "asc" or "desc" and click the Update button. msg.warn.enter.name.and.passwd=Please enter your name and password. +section.client.info=Client Information section.design.test=Design Test +section.server.info=Server Information style.name.bootstrap=Bootstrap style.description.bootstrap=For more detail, please refer to the page: http://getbootstrap.com/ style.name.google.mdl=Google Material Design Lite diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties index 0c21872f..660674b8 100644 --- a/src/main/resources/messages_ja.properties +++ b/src/main/resources/messages_ja.properties @@ -86,6 +86,9 @@ msg.note.slow.regular.expression=  \ \u30af\u30a8\u30ea\u30b9\u30c8\u30ea\u30f3\u30b0\u306bgoto=[\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eURL]\u3092\u4ed8\u52a0\u3059\u308b\u3068\u3001\u30c1\u30a7\u30c3\u30af\u305b\u305a\u306b\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eURL\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u307e\u3059\u3002 +msg.note.unintended.file.disclosure=  \ +\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30ea\u30b9\u30c6\u30a3\u30f3\u30b0\u304c\u6a5f\u80fd\u3057\u3066\u3044\u308b\u5834\u5408\u3001http://localhost:8080/uid/\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\u305d\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306e\u30d5\u30a1\u30a4\u30eb\u4e00\u89a7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002\ +\u3055\u3089\u306bhttp://localhost:8080/uid/adminpassword.txt\u306b\u8a18\u8f09\u3055\u308c\u305f\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3068\u3001http://localhost:8080/uid/serverinfo.jsp\u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002 msg.note.unrestricted.ext.upload=  \ <% System.exit(0); %>\u3068\u66f8\u3044\u305fJSP\u30d5\u30a1\u30a4\u30eb(\u30d5\u30a1\u30a4\u30eb\u540d\uff1aexit.jsp)\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u3001http://localhost:8080/uploadFiles/exit.jsp\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\ JavaVM\u304c\u5f37\u5236\u7d42\u4e86\u3057\u307e\u3059\u3002 @@ -112,7 +115,9 @@ msg.thread.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8fbc\u30 msg.valid.json=\u6b63\u3057\u3044JSON\u6587\u5b57\u5217\u3067\u3059\u3002 msg.warn.select.asc.or.desc=\u300c\u6607\u9806\u300d\u307e\u305f\u306f\u300c\u964d\u9806\u300d\u3092\u9078\u629e\u3057\u3066\u3001\u66f4\u65b0\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u4e0b\u3055\u3044\u3002 msg.warn.enter.name.and.passwd=\u540d\u524d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 +section.client.info=\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u60c5\u5831 section.design.test=\u30c7\u30b6\u30a4\u30f3\u30c6\u30b9\u30c8 +section.server.info=\u30b5\u30fc\u30d0\u30fc\u60c5\u5831 style.name.bootstrap=Bootstrap style.description.bootstrap=\u8a73\u7d30\u306f\u6b21\u306e\u30da\u30fc\u30b8\u3092\u53c2\u7167\u4e0b\u3055\u3044: http://getbootstrap.com/ style.name.google.mdl=Google Material Design Lite diff --git a/src/main/webapp/index.jsp b/src/main/webapp/index.jsp index 99146d5f..929c8a0d 100644 --- a/src/main/webapp/index.jsp +++ b/src/main/webapp/index.jsp @@ -164,6 +164,11 @@ key="function.name.dangerous.file.inclusion" />:

+

  • + : + +

    • diff --git a/src/main/webapp/udc/clientinfo.jsp b/src/main/webapp/udc/clientinfo.jsp deleted file mode 100644 index 0a54b7e1..00000000 --- a/src/main/webapp/udc/clientinfo.jsp +++ /dev/null @@ -1,14 +0,0 @@ - -<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> - - -EasyBuggy - - - -
      -

    • User-Agent: <%=request.getHeader("user-agent")%>

      • -

    • Accept-Language: <%=request.getHeader("Accept-Language")%>

      • -
    - - \ No newline at end of file diff --git a/src/main/webapp/udc/adminpassword.txt b/src/main/webapp/uid/adminpassword.txt similarity index 100% rename from src/main/webapp/udc/adminpassword.txt rename to src/main/webapp/uid/adminpassword.txt diff --git a/src/main/webapp/uid/clientinfo.jsp b/src/main/webapp/uid/clientinfo.jsp new file mode 100644 index 00000000..8abc2867 --- /dev/null +++ b/src/main/webapp/uid/clientinfo.jsp @@ -0,0 +1,29 @@ +<%@ page pageEncoding="UTF-8"%> +<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> +<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%> +<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%> + + + + + + +<fmt:message key="section.client.info" /> + + + +

    +   + +

    +
    +
      +

    • User-Agent: <%=request.getHeader("user-agent")%>

      • +

    • Accept-Language: <%=request.getHeader("Accept-Language")%>

      • +
    +
    +

    + + \ No newline at end of file diff --git a/src/main/webapp/udc/serverinfo.jsp b/src/main/webapp/uid/serverinfo.jsp similarity index 78% rename from src/main/webapp/udc/serverinfo.jsp rename to src/main/webapp/uid/serverinfo.jsp index 9212ee5d..0985afc3 100644 --- a/src/main/webapp/udc/serverinfo.jsp +++ b/src/main/webapp/uid/serverinfo.jsp @@ -11,11 +11,15 @@ <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> -EasyBuggy +<fmt:message key="section.server.info" /> -
    +

    +   + +

    +
    <% request.setAttribute("systemProperties", java.lang.System.getProperties()); %>