[Vulnerability Report] Directory Traversal Attack in subdomain of Apple.com

Report: Apple flaw that leads to sensitive file disclosure

The following is my report on a serious vulnerability which I had discovered on one of the apple.com's subdomains for which I was also awarded a place at Apple Hall of Fame.

------------------Following is the email which I had sent to Apple------------------

Vulnerability Type: Directory Traversal Attack

Abstract: I have discovered one of the apple.com's subdomains vulnerable to directory traversal attack which allows a remote attacker to access sensitive files saved on the webserver that was not intended to be accessible by an unprivileged user.

Scope: http://consultants.apple.com

Risk Level: High

Vulnerability Description:  Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. Directory traversal attacks use web server software to exploit inadequate security mechanisms giving them root access to directories and files stored on the webserver.

Affected URL: https://consultants.apple.com/publicLocator/downloadProfile/downloadProfile?execution=e1s1&id=%2Fimages%2FpublicLocator%2FPDF_RequirementstoJoin_ACN_May2015.pdf  

Vulnerability Impact Scenario: 
A remote attacker is able to download critical files from apple's webserver such as /etc/passwd, configuration files and log files which may result in "Sensitive Information Disclosure" and may also allow the attacker to carry out further attacks on the system using the information gathered through this vulnerability.

Vulnerability Reproduction Steps(POC):
1. Visit the Affected URL as mentioned above.

2. Modify the following parameter " e1s1&id=%2Fimages%2FpublicLocator%2FPDF_RequirementstoJoin_ACN_May2015.pdf " with " ../../../../../../../etc/passwd "

3. So our final URL becomes " https://consultants.apple.com/publicLocator/downloadProfile/downloadProfile?execution=e1s1&id=../../../../../../../etc/passwd "

4. The final URL which we have generated allows us to traverse /root directory of the webserver and as a POC(Proof Of Concept) we can see that URL which we have generated allows us to view the /etc/passwd file of the system.   

Brief description of the issue:    The vulnerability i am reporting is known as Directory Traversal Attack which is caused due to poor input validation in the Affected URL, the following parameter of the affected URL "id=" accepts path of the file to be downloaded, but due to insufficient security validation/sanitization of user-supplied input file names we can provide custom queries and traverse up to the root directory of the webserver using "../" (Go Up).

Directory Traversal Attack is a serious vulnerability which is capable of compromising the entire web server, not just the single subdomain which I have reported but all the websites which are hosted on the same server. My suggestion is to patch this vulnerability as soon as possible before it gets discovered by some cracker and gets exploited.

Let me know if you require any other information, I will be happy to assist.

Amit Kumar(Ak)
-------------------------------------End of eMail-------------------------------------