|
|
|
|
|
|
by twic
1538 days ago
|
|
|
> output an arbitrary JSP file So i appreciate that this is only an example of a gadget, and there are others that could be invoked in the same way, but ... > to the webapp root directory This is only possible if the application is running from an exploded WAR. That can happen if the developer deploys an exploded WAR - normal in development, extremely strange in production - or if the application server explodes the WAR to run it. I know it used to be standard for application servers to do that, but my understanding was that they stopped doing this 5 - 10 years ago, and now run applications directly from the WAR file. That said, i am certainly not intimately familiar with all extant application servers, or what versions are in use - perhaps there are plenty of deployments that still do this. I always argued for deploying the app as one user, then executing it as another, which didn't have write access to the deployment, specifically to avoid this class of problem, but nobody ever bothers to do that! |
|
|