In different phrases, if the Apache net server redirects a path to a selected servlet (Java net software) on an inner software server like Tomcat, then including ..;/ to the trail, would permit traversing again and accessing different servlets situated on the identical software server. So, whereas a direct request to /npm-admin/ doesn’t work, and neither does a request to /npm-pwg/, a request to /npm-pwg/..;/npm-admin/ bypasses the redirect and brings up the online interface of the NuPoint unified messaging server.
From right here the researchers had been in a position to scan the online software and discover the SQL injection flaw that corresponded to CVE-2024-35286. Then they questioned what different net purposes (.struggle information) may reside within the root of the server except for npm-admin. It seems a variety of them: awcPortlet, awv, axis2-AWC, Bulkuserprovisioning, ChangePasscodePortlet, ChangePasswordPortlet, ChangeSettingsPortlet, LoginPortlet, massat, MiCollabMetting, portal, ReconcileWizard, SdsccDistributionErrors, UCAProvisioningWizard, and usp.
A bigger assault floor means extra flaws to seek out
The trail traversal subject opened a a lot bigger assault floor, as any a kind of servlets that would now be accessed with out authentication may have vulnerabilities or delicate functionalities that might be abused. The researchers reported the difficulty to Mitel in Could, which assigned it CVE-2024-41713 and patched it in October, closing the assault vector.
