Vigil@nce - Apache Tomcat: directory traversal of ServletContext
April 2016 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker, who is allowed to upload a malicious web application
on the service, can traverse directories in ServletContext of
Apache Tomcat, in order to read the content of a directory outside
the service root path.
Impacted products: Tomcat, Debian, BIG-IP Hardware, TMOS, HP-UX,
openSUSE Leap, Solaris, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 22/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Apache Tomcat product can execute a web application from an
untrusted source with a Security Manager.
However, the getResource(), getResourceAsStream() and
getResourcePaths() methods of ServletContext insert user’s data
directly in an access path. Sequences such as "/.." can thus be
used by the web application to go in the upper directory.
An attacker, who is allowed to upload a malicious web application
on the service, can therefore traverse directories in
ServletContext of Apache Tomcat, in order to read the content of a
directory outside the service root path.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Apache-Tomcat-directory-traversal-of-ServletContext-18993