Critical File Path Manipulation Vulnerability Exposed in Test Application, WEB-INF/web.xml Accessed

A critical file path manipulation vulnerability has been confirmed in a staging environment, allowing unauthorized access to a sensitive server configuration file. The attack succeeded by submitting a simple payload containing '../WEB-INF/web.xml' through a user-controllable parameter, which the server then processed and returned the protected file. This direct retrieval of the web.xml file, typically shielded within the WEB-INF directory, signals a severe server-side security flaw that could expose application secrets and source code.

The vulnerability was identified in a product identified as 'Test 709502357CDCEA6D5A576' with a subproduct 'Sub Test 1774530996894EC961FC15CB6'. The issue's status is marked as 'Confirmed' with a 'Critical' severity rating, indicating the finding is validated and poses an immediate high risk. The attack vector exploits improper neutralization of user input used in file system paths, a classic yet dangerous oversight that can grant attackers a foothold within the application's internal structure.

Successful exploitation of such a flaw can lead to significant information disclosure. Attackers constrained to the web root can still access normally protected resources like configuration files, source code for server-side scripts, or files with extensions the server is not configured to serve directly. This breach demonstrates a failure in input validation and path security controls, creating a direct pathway for further reconnaissance and potential system compromise if the vulnerability exists in a production environment.