Add feature of information disclosure

src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java

@@ -13,6 +13,8 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import sun.util.logging.resources.logging;
+
 /**
  * Servlet Filter for authentication
  */
@@ -38,7 +40,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         HttpServletResponse response = (HttpServletResponse) res;
         String target = request.getRequestURI();
 
-        if (target.startsWith("/admins")) {
+        if (target.startsWith("/admins") || target.equals("/udc/serverinfo.jsp")) {
             /* Login (authentication) is needed to access admin pages (under /admins). */
 
             String loginType = request.getParameter("logintype");

src/main/webapp/jsp/includable.jsp → src/main/webapp/dfi/includable.jsp

@@ -1,6 +1,7 @@
 <%@ page pageEncoding="UTF-8"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
 <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
 <c:set var="language"
 	value="${not empty param.language ? param.language : not empty language ? language : pageContext.request.locale}"
 	scope="session" />
@@ -11,7 +12,7 @@
 <head>
 <title>EasyBuggy</title>
 <c:catch var="ex">
-	<c:if test="${param.template != null}">
+	<c:if test="${param.template != null && !fn:contains(param.template,'../')}">
 		<c:import url="<%= request.getParameter(\"template\")%>" /> 
 	</c:if>
 </c:catch>
@@ -39,17 +40,17 @@
 			<fmt:message key="style.description.nonstyle" />
 		</p></li>
 		<li><p>
-			<a href=includable.jsp?template=/html/style_bootstrap.html><fmt:message
+			<a href=includable.jsp?template=style_bootstrap.html><fmt:message
 						key="style.name.bootstrap" /></a>:
 			<fmt:message key="style.description.bootstrap" />
 		</p></li>
 		<li><p>
-			<a href=includable.jsp?template=/html/style_google_mdl.html><fmt:message
+			<a href=includable.jsp?template=style_google_mdl.html><fmt:message
 						key="style.name.google.mdl" /></a>:
 			<fmt:message key="style.description.google.mdl" />
 		</p></li>
 		<li><p>
-			<a href=includable.jsp?template=/html/style_materialize.html><fmt:message
+			<a href=includable.jsp?template=style_materialize.html><fmt:message
 						key="style.name.materialize" /></a>:
 			<fmt:message key="style.description.materialize" />
 		</p></li>

src/main/webapp/index.jsp

@@ -10,7 +10,7 @@
 <html>
 <head>
 <title>EasyBuggy</title>
-<c:import url="/html/style_bootstrap.html" /> 
+<c:import url="/dfi/style_bootstrap.html" /> 
 </head>
 <body style="margin:20px;">
 	<header>
@@ -160,7 +160,7 @@
 			<fmt:message key="function.description.brute.force" />
 		</p></li>
 		<li><p>
-			<a href="/jsp/includable.jsp?template=/html/style_bootstrap.html" target="_blank"><fmt:message
+			<a href="/dfi/includable.jsp?template=style_bootstrap.html" target="_blank"><fmt:message
 						key="function.name.dangerous.file.inclusion" /></a>:
 			<fmt:message key="function.description.dangerous.file.inclusion" />
 		</p></li>

src/main/webapp/udc/adminpassword.txt

@@ -0,0 +1,4 @@
+Mark, password
+David, p@s2w0rd
+Peter, pa33word
+James, pathwood

src/main/webapp/udc/clientinfo.jsp

@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<html>
+<head>
+<title>EasyBuggy</title>
+<c:import url="/dfi/style_bootstrap.html" /> 
+</head>
+<body style="margin:20px;">
+	<ul>
+		<li><p>User-Agent: <%=request.getHeader("user-agent")%></p></li>
+		<li><p>Accept-Language: <%=request.getHeader("Accept-Language")%></p></li>
+	</ul>
+</body>
+</html>

src/main/webapp/udc/serverinfo.jsp

@@ -0,0 +1,37 @@
+<%@ page pageEncoding="UTF-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<c:set var="language"
+	value="${not empty param.language ? param.language : not empty language ? language : pageContext.request.locale}"
+	scope="session" />
+<fmt:setLocale value="${language}" />
+<fmt:setBundle basename="messages" />
+<!DOCTYPE HTML>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<html>
+<head>
+<title>EasyBuggy</title>
+<c:import url="/dfi/style_bootstrap.html" /> 
+</head>
+<body style="margin:20px;">
+ <a href="/logout"><fmt:message key="label.logout" /></a><hr/>
+<% request.setAttribute("systemProperties", java.lang.System.getProperties()); %>
+ <table width="760">
+  <tr>
+   <th>Key</th>
+   <th>Value</th>
+  </tr>
+  <c:forEach var="entry" items="${systemProperties}">
+   <tr>
+    <td>
+     <c:out value="${entry.key}" />
+    </td>
+    <td>
+     <c:out value="${entry.value}" />
+    </td>
+   </tr>
+  </c:forEach>
+ </table>
+</body>
+</html>

src/test/java/org/t246osslab/easybuggy/EmbeddedJettyServer.java

@@ -32,9 +32,9 @@ public static void main(String[] args) throws Exception {
         context.setConfigurations(new Configuration[] { new AnnotationConfiguration(), new WebXmlConfiguration(),
                 new WebInfConfiguration(), new TagLibConfiguration(), new PlusConfiguration(),
                 new MetaInfConfiguration(), new FragmentConfiguration(), new EnvConfiguration() });
-
         context.setContextPath("/");
         context.setParentLoaderPriority(true);
+        //context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
         server.setHandler(context);
         server.start();
         server.dump(System.err);