Server-Side Source Code Disclosure via .jsp.bak

Disclosed by
Mrinfinite
  • Engagement Bureau of Indian Affairs
  • Disclosed date 4 months ago
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Bureau of Indian Affairs

IA has corrected a misconfiguration and no longer allows access to the file in question.

Summary by Mrinfinite

A publicly accessible backup file (login.jsp.bak) was identified within the IBM Maximo web application hosted at maximotrng.bia.gov. This file exposes the complete server-side source code of the Maximo authentication component without requiring authentication.

The disclosed JSP source code reveals sensitive implementation details, including authentication workflows, session and timeout handling, login parameters, internal endpoints, deployment configuration, and multi-tenant behavior. As IBM Maximo is an enterprise asset management platform commonly used in critical infrastructure environments, exposure of its authentication logic significantly increases the risk of targeted attacks.

An attacker could leverage this information to gain insight into internal security controls, identify Maximo-specific vulnerabilities, and craft more effective attack strategies such as authentication bypass attempts, credential-based attacks, or vulnerability chaining. Backup files should not be accessible from the web root, and the affected resource should be removed or properly restricted.

Priority: P3
Vulnerability Type: Information Disclosure – Source Code Disclosure

Report details

  • Submitted

  • Target Location

    *.bia.gov

  • Target category

    Web App

  • VRT

    Sensitive Data Exposure > Disclosure of Secrets > For Internal Asset

  • Priority

    P3
  • Bug URL
    https://maximotrng.bia.gov/maximo/webclient/login/login.jsp.bak
  • Description

    A backup file of a JavaServer Pages (JSP) authentication component (login.jsp.bak) is publicly accessible. This file discloses full server-side source code for the IBM Maximo login functionality, including authentication logic, session handling, security controls, internal endpoints, and deployment configuration. This significantly increases the risk of targeted attacks against the application.

    Affected Asset
    https://maximotrng.bia.gov/maximo/webclient/login/login.jsp.bak

    Vulnerability Type
    Information Disclosure
    Source Code Disclosure

    Reasoning:
    Full server-side source code disclosure
    Authentication and session logic exposed
    Enterprise system (IBM Maximo) commonly used in critical infrastructure
    Easy to exploit (direct GET request)

    Steps to Reproduce
    . Open a browser
    . go to the url https://maximotrng.bia.gov/maximo/webclient/login/login.jsp and .bak at the end https://maximo.bia.gov/maximo/webclient/login/login.jsp.bak now you can see.
    .Observe that the server responds with:
    HTTP 200 OK
    Plain text content
    Complete JSP source code

    Expected Result
    The server should return 403 Forbidden or 404 Not Found
    Backup files should not be accessible from the web roo

    Actual Result
    The server returns the full JSP source code
    No authentication required

    Impact

    An attacker can gain detailed knowledge of the internal authentication mechanism, including:
    Authentication flow (j_security_check, mxlogin.jsp)
    Login parameters (username, password, tenant, debug, mobile)
    CSRF token handling
    Session management and timeout logic
    Multi-tenant and admin login behavior
    SaaS vs on-premise deployment indicators
    Internal file paths and endpoints
    Supported languages and mobile login logic
    This information can be used to:
    Craft targeted authentication bypass attempts
    Improve brute-force and credential stuffing attacks
    Identify Maximo-specific CVEs
    Perform accurate phishing and social engineering
    Chain with other vulnerabilities (XSS, session fixation, clickjacking)

    Proof of Concept
    information2.mp4 attached

Activity