Skip to content

rt.rap: RCE on RAP File Upload

Reported by @melazrak at the Security mailing list

Basic information

Project name: Eclipse RAP

Project id: rt.rap

What are the affected versions?

Not communicated

Details of the issue

I noticed a security issue on org.eclipse.rap.fileupload component and I would like to inform you about it. According to your Security Policy I tried to report vulnerabilities using the Eclipse Foundation's Bugzilla instance but when I created a new account I was asked to have at least one active component in order for me to enter a bug into the product Community. So I am reporting it to you via email.

Remote Code Execution is possible on Windows due to improper filename sanitization for features relying on servicehandler=org.eclipse.rap.fileupload mechanism. A partial sanitization of the filename name is done in the stripFileName method. When this method finds a / it removes everything before but keeps the potential \s. So for the filename "/....\webapps\shell.war" the stripFileName method keeps "....\webapps\shell.war".

Proof when running an app using RAP Fileupload on a Tomcat Server on Windows image

The file is saved on webapps folder

Please feel free to ask for more details if needed.

Steps to reproduce

See above

Do you know any mitigations of the issue?

Not communicated

Reported on: August 28, 2023

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent