In other words, if the Apache web server redirects a path to a specific servlet (Java web application) on an internal application server like Tomcat, then adding ..;/ to the path, would allow traversing back and accessing other servlets located on the same application server. So, while a direct request to /npm-admin/ doesn’t work, and neither does a request to /npm-pwg/, a request to /npm-pwg/..;/npm-admin/ bypasses the redirect and brings up the web interface of the NuPoint unified messaging server.
From here the researchers were able to scan the web application and find the SQL injection flaw that corresponded to CVE-2024-35286. Then they wondered what other web applications (.war files) might reside in the root of the server aside from npm-admin. It turns out a lot of them: awcPortlet, awv, axis2-AWC, Bulkuserprovisioning, ChangePasscodePortlet, ChangePasswordPortlet, ChangeSettingsPortlet, LoginPortlet, massat, MiCollabMetting, portal, ReconcileWizard, SdsccDistributionErrors, UCAProvisioningWizard, and usp.
A larger attack surface means more flaws to find
The path traversal issue opened a much larger attack surface, as any one of those servlets that could now be accessed without authentication could have vulnerabilities or sensitive functionalities that could be abused. The researchers reported the issue to Mitel in May, which assigned it CVE-2024-41713 and patched it in October, closing the attack vector.
