Much appreciated your detailed response Chris, I’ll investigate upon these
points and try to discuss with the developer.
Thanks once again.!!
On Tue, 9 Aug 2022 at 5:20 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Farash,
>
> On 8/9/22 09:23, Farash Ahamad wrote:
> > Hi Chris,
> >
> > There is an application portal running on tomcat used by many users,
> where
> > they create profiles, upload documents, etc.
> > When they upload the document via portal, the application pushes it to
> sftp
> > on another server, but sometimes a copy is stored in the root directory
> > tomcat server with exact details like filename, size, etc.
>
> So your users upload to your application, which then uploads the file
> via sftp?
>
> My guess is that your application does something like this:
>
> public void service(Request, Response) {
> String filename = Request.getParameter("filename");
> InputStream in = Request.getInputStream();
>
> OutputStream out = new FileOutputStream(filename);
> while(in.read(...)) {
> out.write(...);
> }
> out.close();
> in.close();
>
> FTPClient client = new FTPClient();
> client.connect();
> client.put(filename);
> }
>
> By using the Tomcat server as a temporary location for files, there is
> the possibility that uploaded-files will stick-around in that directory,
> especially if the code isn't very careful about resource-management and
> error-handling.
>
> I would immediately audit your code for the following:
>
> 1. Proper destination directory. If users can upload files to your
> Tomcat directory, what happens if I upload a .jsp file and then request
> that file over HTTP from your server? Will it execute the file? :0 You
> should write all files into the container-provided temp directory. Ask
> if you don't know what this it.
>
> 2. Filename sanitization. If a user can upload a file, can they
> overwrite local files? Can they perform directory-traversals? What
> happens if I upload /etc/passwd or conf/server.xml?
>
> 3. Proper resource management (e.g. look for close() and delete() for
> everything you do locally)
>
> 4. Maybe you don't even need to store the file locally. Does your sftp
> client library allow you to stream files directly to the remote server?
> It would be better to never write the file bytes onto the Tomcat server
> in the first place.
>
> Hope that helps,
> -chris
>
> > On Tue, Aug 9, 2022 at 4:18 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Farash,
> >>
> >> On 8/9/22 04:55, Farash Ahamad wrote:
> >>> Just to add, the file is getting uploaded to SFTP server, but there is
> an
> >>> exact copy in tomcat server as well.
> >>
> >> Can you give more details? Is a human user pushing via sftp to your
> >> Tomcat server? Or is your Tomcat-deployed application pushing via sftp
> >> to another server? Or something more complicated?
> >>
> >> Is the Tomcat server hosting the sftp server / destination?
> >>
> >> -chris
> >>
> >>> On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
> >>>
> >>>> This will always be an application issue.
> >>>>
> >>>> Mark
> >>>>
> >>>>
> >>>> On 09/08/2022 09:41, Farash Ahamad wrote:
> >>>>> Dear All,
> >>>>>
> >>>>> I am observing there and several documents (pdf, png, jpeg, etc)
> which
> >>>> the
> >>>>> end user uploads in the application getting stored in tomcat /
> >> directory.
> >>>>>
> >>>>> I would like to understand whether this is a bug in the application
> >> code
> >>>> or
> >>>>> in tomcat.
> >>>>>
> >>>>> Application based on: Java Spring Boot 2.1.3
> >>>>> Tomcat version: 9.0.41
> >>>>> OS Version: RHEL 7.9
> >>>>> Document Destination: SFTP server (Unified gluster FS through Serv-U)
> >>>>>
> >>>>> Appreciate your help.
> >>>>>
> >>>>> Thanks & Regards,
> >>>>> Farash Ahamad
> >>>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>
> >>>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
