Expression Language evaluated in Apache Web Server
Question
I am having an Apache Web server 2.0 and Tomcat server 7.0.
Web server directs the request to Tomcat server.
Both web and tomcat application servers are directly accessible.
When expression language ${9-4} is sent as a request parameter to web server URL, then the expression is getting evaluated and returning a result of 5.
If the same request is sent to Tomcat server then the result is ${9-4} without evaluation.
Eg:
Web Server
Request: http://apache-web-server:port/context?test= ${9-4}
Response when printing test in jsp: 5
Tomcat Server
Request: http://tomcat-server:port/context?test= ${9-4}
Response when printing test in jsp: ${9-4}
Is Apache Web server evaluating the expression language here?
How can I stop the server from evaluating the expression language?
Also I am using Struts 2 in the Tomcat Application server.
If the Apache Web server has the capability of evaluating expressions, then how do I turn off OGNL expression evaluation in Apache Web server?
2 answers
solution1
0 2015-09-02 07:43:55
It looks like the JSP Expression Language is parsing your parameter. Its actually a remote code execution vulnerability your application have.
Look at this articles: https://www.owasp.org/index.php/Expression_Language_Injection http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/
solution2
0 2015-09-18 09:37:09
Why you pass these are as the values in the url. Instead of that you can pass these vales in the variables and assign access the variables values from jsp or controller then you can write the logic there.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.