0

Since JBoss is acting as a middleware - Application Server - I was wondering if it's still possible to face with File Inclusion attacks.(?) The reason I was wandering so is that in such a case, no request will be directly sent to any Storage or DataBase server since JBoss will be stepping in the middle of communication to check for validity and so on, so I thought RFI/LFI might be already prevented by using Application Servers.

If it's yet possible, what can be done to prevent File Inclusion attacks? - not including making sure that PHP is immune enough from malicious codes

OS : RHEL 7

Application Server : JBoss

Parsa Samet
  • 246
  • 2
  • 10

1 Answers1

2

It's possible to have a file inclusion attack on JBoss (e.g exploit code: https://www.exploit-db.com/exploits/36553/).

I've tested the Remote Code Execution & had it's instances landed to file inclusions such as the follows:

JBoss Remote File Inclusion

A more detailed explanation of this could be found at: http://securityxploded.com/JBoss%20Whitepaper.pdf

Since, it's Java Tier; even the middleware could be prone to attacks given in context that File Inclusions (whether remote or local) is caught due to lack of proper sanitisation or validations.

Example code:

<jsp:include page="<%=(String)request.getParameter(\"template\")%>">

The sample code takes a user specified template name and includes it in the JSP page to be rendered. This could be a local file inclusion. However, RCE exists in JBoss & could be easily manipulated to achieve further escalation into file inclusions.

Shritam Bhowmick
  • 1,602
  • 14
  • 28