Bug 1305937 - (CVE-2016-0793) CVE-2016-0793 wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass
CVE-2016-0793 wildfly: WEB-INF and META-INF Information Disclosure via Filter...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160211,repor...
: Security
Depends On: 1306470
Blocks: 1305944
  Show dependency treegraph
 
Reported: 2016-02-09 11:16 EST by Adam Mariš
Modified: 2017-06-06 11:24 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An incomplete-blacklist flaw was found in the blacklisting of URLs in Wildfly. A remote, unauthenticated user could exploit this flaw to expose sensitive files.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-09 11:16:04 EST
An information disclosure of the content of restricted files WEB-INF and META-INF via filter mechanism was reported. Servlet filter restriction mechanism is enforced by two code checks: 

if (path.startsWith("/META-INF") || path.startsWith("META-INF") || path.startsWith("/WEB-INF") || path.startsWith("WEB-INF")) {
    return false;
}

private boolean isForbiddenPath(String path) {
                return path.equalsIgnoreCase("/meta-inf/") || path.regionMatches(true, 0, "/web-inf/", 0, "/web-inf/".length());
}

which can be bypassed using lower case and adding meaningless character to path.
Comment 2 Adam Mariš 2016-02-09 11:27:54 EST
Acknowledgments:

Red Hat would like to thank Tal Solomon of Palantir Security for reporting this issue.
Comment 5 Jason Shepherd 2016-02-10 17:54:14 EST
This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users running on Windows. Users of those versions on Windows are advised to upgrade to 10.0.0.Final.

No Versions of JBoss EAP or layered products are affected.
Comment 6 Jason Shepherd 2016-02-10 17:56:14 EST
Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1306470]
Comment 7 Summer Long 2016-02-12 00:48:17 EST
Statement: 

Only Wildfly application servers running on Windows operating systems are affected; no versions of Red Hat JBoss EAP or layered products are affected.
Comment 8 voora 2017-02-21 15:56:49 EST
(In reply to Jason Shepherd from comment #5)
> This issue effects versions of Wildfly prior to 10.0.0.Final, including
> 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users running on
> Windows. Users of those versions on Windows are advised to upgrade to
> 10.0.0.Final.
> 
> No Versions of JBoss EAP or layered products are affected.

The release notes for 10.0.0 Final or 10.1 has no information on this, can you please point me which bug / enhancement fixed this issue?

Thanks
Comment 9 Andrea Scarpino 2017-06-06 10:27:03 EDT
(In reply to voora from comment #8)
> The release notes for 10.0.0 Final or 10.1 has no information on this, can
> you please point me which bug / enhancement fixed this issue?

Up. Please write how it has been fixed in WildFly 10.
Comment 10 Bharti Kundal 2017-06-06 11:17:12 EDT
@Andrea:This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users running on Windows.
Comment 11 Andrea Scarpino 2017-06-06 11:24:05 EDT
(In reply to Bharti Kundal from comment #10)
> @Andrea:This issue effects versions of Wildfly prior to 10.0.0.Final,
> including 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users
> running on Windows.

@Bharti: Hi, I already read that. What do I mean is: how's this affected only WildFly < 10? From what I understand the bug is inside undertow[1] and that code isn't changed. *I know* this has been effectively fixed in WildFly 10, just wondering *how* it has been mitigated.

Thank you

[1] https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/handlers/ServletInitialHandler.java#L201

Note You need to log in before you can comment on or make changes to this bug.