Document Title: =============== Cloupia Framework E2E - Directory Traversal Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=182 ID: KUSTODIAN-2011-011 Release Date: ============= 2012-01-11 Vulnerability Laboratory ID (VL-ID): ==================================== 383 Common Vulnerability Scoring System: ==================================== 7.8 Product & Service Introduction: =============================== Provides end-to-end FlexPod management and automation across physical, virtual, compute, storage and network resources. Create internal private clouds rapidly with internal standards and procedures to maximize the infrastructure investments. Provides comprehensive physical and virtual infrastructure management and automation. Provides unified solution and single pane of glass for consistent and connected experience across private, public & hybrid clouds. Abstract Advisory Information: ============================== A Laboratory Researcher (Chris Rock) discovered a directory traversal vulnerability on the famous Cloupia Application Framework. Vulnerability Disclosure Timeline: ================================== 2012-01-16: Public or Non-Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ jQuery File Tree is a configurable, AJAX file browser plugin for the jQuery javascript library utilised within the Cloupia application framework. Unauthenticated access to this module allows a remote attacker to browse the entire file system of the host server, beyond the realm of the web service itself. Cloupia are aware of this flaw and are releasing a patch to mitigate access. End users are urged to update immediately by contacting the vendor. Proof of Concept (PoC): ======================= The directory traversal vulnerability can b exploited by local & remote attackers. For demonstration or reproduce ... The following process performed as an attacker to exploit this vulnerability would be as follows. The code for the jQuery File Tree ‘Java-Server-Page’ file reads as follows ... <%@ page import="java.io.File,java.io.FilenameFilter,java.util.Arrays"%> <% /** * jQuery File Tree JSP Connector * Version 1.0 * Copyright 2008 Joshua Gould * 21 April 2008 */ String dir = request.getParameter("dir"); if (dir == null) { return; } if (dir.charAt(dir.length()-1) == '\\') { dir = dir.substring(0, dir.length()-1) + "/"; } else if (dir.charAt(dir.length()-1) != '/') { dir += "/"; } if (new File(dir).exists()) { String[] files = new File(dir).list(new FilenameFilter() { public boolean accept(File dir, String name) { return name.charAt(0) != '.'; } }); Arrays.sort(files, String.CASE_INSENSITIVE_ORDER); out.print("