Directory Traversal Vulnerability

[kriso4os]

The default configuration of the proxy 'matchAll="true"' is susceptible to the Path Traversal vulnerability, which bypasses the 'serverUrl' parameter.
For example:
if <serverUrl url="http://127.0.0.1:80/myserver/web/"> is set, any access to "http://127.0.0.1:80/myserver/rest/" is restricted.
However, using a basic Path Traversal technique, this can be bypassed: "http://127.0.0.1:80/myserver/web/../rest/"
This was tested and confirmed for the DotNet proxy, but after some static analysis, the Java and PHP ones look vulnerable as well.

[andygup]

Thanks for reporting @kriso4os. I'll close out this issue with a note that the repo is going to be archived imminently, and we are adding verbiage that these proxies should not be used.