In other words, if the Apache web server redirects a path to a specific servlet (Java web application) in an internal application server such as Tomcat, then add ..;/ to the path, it will allow to go back and access other available servlets on the same application server. So, while a direct request to /npm-admin/ doesn’t work, and a request to /npm-pwg/, a request to /npm-pwg/..;/npm-admin/ bypasses the redirect and brings up the connector in the NuPoint Unified Messaging Server web interface.
From here the researchers were able to scan the web application and found a SQL injection flaw corresponding to CVE-2024-35286. They then wondered what other web applications (.ewar files) might reside in the server root besides npm-admin. There are many of them: awcPortlet, awv, axis2-AWC, Bulkuserprovisioning, ChangePasscodePortlet, ChangePasswordPortlet, ChangeSettingsPortlet, LoginPortlet, massat, MiCollabMetting, portal, ReconcileWizard, SdsccDistributionErrors, UCAProvisioningWiz, UCAPro, and UCAProvisioningWizard.
A larger attack surface means more errors that can be detected
The cross-path problem has opened up a very large attack surface, since any of those resources that can be accessed without authentication can be compromised or sensitive operations can be abused. Researchers reported the issue to Mitel in May, assigned it CVE-2024-41713 and patched it in October, blocking the attack vector.
Source link