rt.rap: RCE on RAP File Upload
Reported by @melazrak at the Security mailing list
Basic information
Project name: Eclipse RAP
Project id: rt.rap
What are the affected versions?
Not communicated
Details of the issue
I noticed a security issue on org.eclipse.rap.fileupload component and I would like to inform you about it. According to your Security Policy I tried to report vulnerabilities using the Eclipse Foundation's Bugzilla instance but when I created a new account I was asked to have at least one active component in order for me to enter a bug into the product Community. So I am reporting it to you via email.
Remote Code Execution is possible on Windows due to improper filename sanitization for features relying on servicehandler=org.eclipse.rap.fileupload mechanism. A partial sanitization of the filename name is done in the stripFileName method. When this method finds a / it removes everything before but keeps the potential \s. So for the filename "/....\webapps\shell.war" the stripFileName method keeps "....\webapps\shell.war".
Proof when running an app using RAP Fileupload on a Tomcat Server on Windows
The file is saved on webapps folder
Please feel free to ask for more details if needed.
Steps to reproduce
See above
Do you know any mitigations of the issue?
Not communicated
Reported on: August 28, 2023