-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible path traversal vulnerability on Share container #980
Comments
Thanks Giuseppe for sharing your findings and suggestions. |
Do you know if a workaround/fix will be available also for the ACS community version ?
According to the docker compose Community file, port 8080 is mapped to the Nginx container:
Apparently the Ngix container doesn't prevent the issue on that port at the moment. |
Unless I'm misunderstanding, It doesn't seem you can escape the share folder, as it's not mapped from nginx. |
Yeah absolutely. Just Share folder and its sub directories seem affected. Fortunately the out-of-the-box Share folder doesn't include sensitive information (i.e. db credentials, connection strings and so on). |
Share Docker container looks prone to an information disclosure vulnerability.
After a fresh install of ACS using Docker Compose, I was able to access/download restricted contents from the Share WEB-INF directory without any authentication:
$ curl --path-as-is 'http://localhost:8080/share/res/./WEB-INF/web.xml'
Stack
Steps to reproduce
Download the docker compose file from:
https://github.com/Alfresco/acs-deployment/blob/master/docker-compose/community-docker-compose.yml
Start the ACS Docker containers:
$ docker-compose -f community-docker-compose.yml up
Run curl to access the Share web.xml file:
$ curl --path-as-is 'http://localhost:8080/share/res/./WEB-INF/web.xml'
Observations and Results
After a fresh install of ACS using Docker compose, it is possible to traverse into the WEB-INF folder of Share webapp and read files under the reserved WEB-INF directory.
It sounds like an incompatibility issue between Tomcat 9 and the Tuckey urlrewritefilter library deployed under the Share container.
The urlrewrite rule
^/res/(.*)
seems not having effects with Tomcat 9 and that Tuckey library, making the webapp vulnerable to path traversal attacks.The servlet specification prohibits servlet containers from serving resources in the "/WEB-INF" and "/META-INF" directories of a web application archive directly to clients.
An attacker might be able to gather additional info and/or sensitive data about the web application.
(Alfresco content-app seems not affected).
Resources
JAVA Servlet 2.4 Specifiction (page 70)
https://download.oracle.com/otn-pub/jcp/servlet-2.4-fr-spec-oth-JSpec/servlet-2_4-fr-spec.pdf?AuthParam=1690914053_3df9160009a1a65654debd38804e559b
The text was updated successfully, but these errors were encountered: