随笔- 2 文章- 0 评论- 0 阅读- 88

一点网安随笔

I find a Directory Traversal issue in ArcGIS Server Manager

Recently, I found that there is a Directory Traversal vulnerability in ArcGIS Server Manager. Versions affected by this vulnerability discovered up to now are 10.1, 10.2.2 and 10.2.

What is ArcGIS Server Manager?

ArcGIS for Server is a software that developed by ESRI. It makes your geographic information available to others in your organization and optionally anyone with an Internet connection. This is accomplished through web services, which allow a powerful server computer to receive and process requests for information sent by other devices. ArcGIS for Server opens your GIS to tablets, smartphones, laptops, desktop workstations, and any other devices that can connect to web services.

Summary

An Directory Traversal issue is discovered in ArcGIS Server Manager 10.2.2 and 10.2. Directory Traversal is a vulnerability which allows attackers to access restricted directories and read files outside of the web server's allowed paths.

Without login required,an attacker can construct malicious url and make a request to the server, which can lead to a directory traversal and access resources which are not allowed to access. Such like '/WEB-INF/web.xml'.

Tested Versions

ArcGIS Server Manager 10.2.2 and 10.2

Details

First of all, let's visit our test site.The home page is like this:

Viewing the html code of this page, we can get the path'./manager/3552/css/esri/admin.css',let's mark it down for the further use.

We can visit the path '/arcgis/help/en/index.html' to get its version:

Intercept the request, modify our request and send it. We can get a response from the server as seen below:

We successfully get a directory traversal and access restricted directories——by reading the '/WEB-INF/web.xml' file. And if we just directly request for the path'/arcgis/manager/3552/WEB-INF/web.xml', we will get a 404 Response code: