小贝子编程

Spring Java 中的本地文件包含漏洞



我有一个使用Spring MVC框架的javaWeb应用程序。昨天,安全团队共享了一个 URL 来利用浏览器上的本地文件包含漏洞(暴露 web.xml)。

我无法弄清楚在哪里寻找可疑区域。它是在 Spring 配置中还是在 JSP 文件中。

网络.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app>
   <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring/context-beans.xml</param-value>
    </context-param>

    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
    <servlet>
        <servlet-name>CXFServlet</servlet-name>
        <display-name>CXF Servlet</display-name>
        <servlet-class>
            org.apache.cxf.transport.servlet.CXFServlet
        </servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>CXFServlet</servlet-name>
        <url-pattern>/service/*</url-pattern>
    </servlet-mapping>
    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                classpath:spring/web-app-servlet.xml
            </param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
        <async-supported>true</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

并返回 JSP。

<!DOCTYPE html>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
        <title>SignUp</title>
        <meta name="description" content="">
        <meta name="viewport" content="initial-scale=1.0, minimum-scale=1.0,maximum-scale=1.0">
        <link rel="stylesheet" href="/services/resources/css/fa-fonts.css">
        <link rel="stylesheet" href="/services/resources/css/common.css">
        <link rel="stylesheet" href="/services/resources/css/main.css">
        <link rel="stylesheet" href="/services/resources/css/header.css">
        <script type="text/javascript" src="/services/resources/js/lib/modernizr-2.8.3.min.js"></script>
        <script type="text/javascript" src="/services/resources/js/lib/jquery.js"></script>
    </head>
    <body>
        <section class="services-sec js-popDiv" id="loaderStrip" style="display: none;">
        <div class='services-loaderDiv'>
            <h2 class="bold">Please Wait </h2>
            <i class="services-loader-dot"></i>
        </div>
        </section>
        <jsp:include page="header.jsp"></jsp:include>
    </body>
</html>
我想

,这不是您的配置问题,而是应用程序功能的问题:如果你有一些可以由用户给出的文件名,你必须检查它是否是一个正确的文件名。例如,如果您有一个文件上传对话框并且用户选择了文件名,则它不应该是"../../web.xml",但类似"file.txt"您可以使用 uploadName = FilenameUtils.getName(uploadName);以检查字符串上传名称是否只是一个文件或还包含反向遍历路径,例如"../"

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium