Directory traversal security issue

Question

I have a Java webapp which is vulnerable to the directory transversal (aka path transversal) attack via URL encoding. After being authenticated:

• if I hit http://localhost:8080/Web/WEB-INF/web.xml, I get a 404 (which is fine)
• if I hit http://localhost:8080/Web/%c0%ae/WEB-INF/web.xml, I can read the file (which is obviously not fine)

As per the Servlet spec., the WEB-INF folder is not supposed to be accessible publicly, but somehow it works in this case. I'm using Websphere 5.1 with Java 1.4, Spring Security 2.0.5 and Struts 1.3. From what I read, it seems to be related to the encoding, %c0%ae being '.' (dot) in UTF-8.

I tried the same thing on a different webapp which runs in a different environment (Tomcat 6 with Java 7, Spring Security 3 and Spring MVC) and I wasn't able to reproduce the problem. This second webapp has a filter to force encode the pages in UTF-8 (org.springframework.web.filter.CharacterEncodingFilter), so I tried the same configuration on the first webapp, but it didn't do the trick. Any ideas?

Thanks.

Answer 1

I am going to answer my own question.
So with the limited options I had, what I ended up doing is add in the Spring Security configuration file a security rule such as

<sec:intercept-url pattern="/**/WEB-INF/**" access="no-access"/>

It restricts access to WEB-INF to the 'no-access' role which is in fact not a role. That prevents access to all users. It is not ideal but will do the trick until there is an upgrade.

Answer 2

You could fix or deny these requests before they hit Websphere by proxying them through another webserver/appserver or Web application firewalls. Either another Java app server or possibly something like Nginx or Varnish could do the trick.

Of course, the real solution is to upgrade. This is just a band-aid, that could be subverted. It's really the wrong way to "fix" security problems.