Potential Local File Include test bug

[andresriancho]

Description

I believe that some tests are broken, at least they throw the same exception in both pico-wavsep and wavsep docker images.

This is how to reproduce:

• Install docker
• Install docker-compose
• Run WAVSEP inside docker with MySQL inside a docker container:

git@github.com:andresriancho/wavsep.git
cd wavsep
docker-compose up

• Browse to http://127.0.0.1:8098/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/Case10-LFI-FileClass-FilenameContext-Unrestricted-FileDirective-DefaultFullInput-NoPathReq-Read.jsp?target=include.jsp
• Expected result: The contents of the include.jsp file (also tested with others)
• HTTP response body I receive instead:

HTTP Status 500 - Exception details: java.lang.IllegalArgumentException: 
URI has an authority component

type Status report

message Exception details: java.lang.IllegalArgumentException:
URI has an authority component

description The server encountered an internal error that prevented it from
fulfilling this request.

The console log shows:

wavsep_1   | Default Target File (Prior to Concat): content.ini
wavsep_1   | Default Base Path (Prior to Concat): file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/
wavsep_1   | Default Target File: content.ini
wavsep_1   | Default Base Path: file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/
wavsep_1   | 
wavsep_1   | 
wavsep_1   | 
wavsep_1   | Final Relative Access:/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1   | Final Full Access:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1   | Target File: content.ini
wavsep_1   | 
wavsep_1   | File:file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1   | prefix:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/
wavsep_1   | File to access:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1   | Current Absultoe File Path: /usr/local/tomcat/webapps/.
wavsep_1   | Current Canonical Dir Path: /usr/local/tomcat/webapps

The most interesting part seems to be (note the file:// which I never sent):

File to access:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini

Versions

• Apache Tomcat/7.0.63
• jre8

Questions

• Is this really a bug?
• Maybe it was something designed to work on Windows?
• If WAVSEP was buggy, how did some scanners find a vulnerability here?

[sectooladdict]

I can't see which test case this is about, could you share the URL?

plus - several test cases in the LFI directories are only built for
windows. Its only a handful, but still, Java emulates Linux paths very well
on windows, but doesn't work as well in Windows simulation on Linux, unless
you install wine.

Never tried to fix the issue with wine before, but its worth a shot.

On Fri, Sep 11, 2015 at 10:43 PM, Andres Riancho notifications@github.com
wrote:

Potential bug

I believe that some tests are broken, at least they throw the same
exception in both pico-wavsep and wavsep docker images.

This is how to reproduce:

• Install docker
• Install docker-compose
• Run WAVSEP inside docker with MySQL inside a docker container:

git@github.com:andresriancho/wavsep.git
cd wavsep
docker-compose up

• Browse to
  http://127.0.0.1:8098/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/Case10-LFI-FileClass-FilenameContext-Unrestricted-FileDirective-DefaultFullInput-NoPathReq-Read.jsp?target=include.jsp
• Expected result: The contents of the include.jsp file (also tested
  with others)
• HTTP response body I receive instead:

HTTP Status 500 - Exception details: java.lang.IllegalArgumentException: URI has an authority component

type Status report

message Exception details: java.lang.IllegalArgumentException: URI has an authority component

description The server encountered an internal error that prevented it from fulfilling this request.

Apache Tomcat/7.0.63

The console log shows:

wavsep_1 | Default Target File (Prior to Concat): content.ini
wavsep_1 | Default Base Path (Prior to Concat): file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/
wavsep_1 | Default Target File: content.ini
wavsep_1 | Default Base Path: file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/
wavsep_1 |
wavsep_1 |
wavsep_1 |
wavsep_1 | Final Relative Access:/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1 | Final Full Access:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1 | Target File: content.ini
wavsep_1 |
wavsep_1 | File:file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1 | prefix:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/
wavsep_1 | File to access:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
wavsep_1 | Current Absultoe File Path: /usr/local/tomcat/webapps/.
wavsep_1 | Current Canonical Dir Path: /usr/local/tomcat/webapps

The most interesting part seems to be (note the file:// which I never
sent):

File to access:/usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/file://usr/local/tomcat/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini

Questions

• Is this really a bug?
• Maybe it was something designed to work on Windows?
• If WAVSEP was buggy, how did some scanners find a vulnerability here?

—
Reply to this email directly or view it on GitHub
#5.

[andresriancho]

I can't see which test case this is about, could you share the URL?

It's right there, see the "Browse to" part of my bug report.

several test cases in the LFI directories are only built for windows

Could you please enumerate which ones are only for windows?

[sectooladdict]

Found one test case that will only work on windows - test case 37,
previously reported by Tasos Laskos -
https://code.google.com/p/wavsep/issues/detail?id=10,
which means that all the test cases in the series will respond accordingly.

Will map and publish a formal list in the context of the current benchmark.

On Sun, Sep 13, 2015 at 3:48 PM, Andres Riancho notifications@github.com
wrote:

I can't see which test case this is about, could you share the URL?

It's right there, see the "Browse to" part of my bug report.

several test cases in the LFI directories are only built for windows

Could you please enumerate which ones are only for windows?

—
Reply to this email directly or view it on GitHub
#5 (comment).

[andresriancho]

Will map and publish a formal list in the context of the current benchmark.

If you could publish that before it would be really good for WAVSEP users :)

[sectooladdict]

Added to my todo, will see what I can do :)

On Wed, Sep 16, 2015 at 3:26 PM, Andres Riancho notifications@github.com
wrote:

Will map and publish a formal list in the context of the current benchmark.

If you could publish that before it would be really good for WAVSEP users
:)

—
Reply to this email directly or view it on GitHub
#5 (comment).