Wildfly - 'WEB-INF' / 'META-INF' Information Disclosure via Filter Restriction Bypass

EDB-ID:

39573

CVE:

2016-0793

EDB Verified:

Author:

Tal Solomon of Palantir Security

Type:

webapps

Exploit:   /  

Platform:

Windows

Date:

2016-03-20

Vulnerable App: 
Exploit Title: Wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass
Date: 09.02.16
Exploit Author: Tal Solomon of Palantir Security
Vendor Homepage: https://bugzilla.redhat.com/show_bug.cgi?id=1305937
Software Link: http://wildfly.org/downloads/
Version: This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final. 
Tested on: Windows
CVE : CVE-2016-0793

An information disclosure of the content of restricted files WEB-INF and META-INF via filter mechanism was reported. Servlet filter restriction mechanism is enforced by two code checks: 

if (path.startsWith("/META-INF") || path.startsWith("META-INF") || path.startsWith("/WEB-INF") || path.startsWith("WEB-INF")) {
    return false;
}

private boolean isForbiddenPath(String path) {
                return path.equalsIgnoreCase("/meta-inf/") || path.regionMatches(true, 0, "/web-inf/", 0, "/web-inf/".length());
}

which can be bypassed using lower case and adding meaningless character to path.

Proof of Concept Video:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39573.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services