DEV Community

João Victor
João Victor

Posted on

Path traversal via reverse proxy mapping

Reward $100

Overview of the Vulnerability

Path traversal uses a server misconfiguration to access hidden files and directories that are stored on the served web application. This can include sensitive operating files, code and data that runs the application, or in some cases, user credentials.

An attacker can leverage the path traversal vulnerability in this application to gain access to system files in a folder of a directory that is not intended for public access.
Tomcat will threat the sequence /..;/ as /../ and normalize the path while reverse proxies will not normalize this sequence and send it to Apache Tomcat as it is.

This allows an attacker to access Apache Tomcat resources that are not normally accessible via the reverse proxy mapping.

Business Impact

Path traversal can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in data theft and indirect financial losses to the business through the costs of notification and rectifying and breached PII data if an attacker can successfully exfiltrate user data.
An attacker can inject path traversal sequences such as /..;/ and access Apache Tomcat resources that are not normally mapped via the reverse proxy mapping.

Steps to Reproduce

Reply this request:

GET /axis2//..;/ HTTP/1.1
Cookie: JSESSIONID=35287FC413AC61BB9B76A853DBAF0DC7; sftlc=O3BU01JCA7NJ1P9527N7QX3JBS81K7I8; JSESSIONID=A80093E984D73E98210B41D334FE50C8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: c4ng4c31r0.com
Connection: Keep-alive
Enter fullscreen mode Exit fullscreen mode

PoC:

Image description

Image description

PS: The triage changed the severity to P1 (critical), but the company changed it to P4 (low), claiming it was a "WAF misconfiguration".

Image description

Image description

Status: Resolved
Reward: 100$

Top comments (0)