stackoom
  简体   繁体   中英

Is Spring - SpEL vulnerable?

 原文  2012-04-25 03:39:55       spring/ security/ spring-el

Question

I came across an article Open source library with vulnerabilities .

This article states that "Spring Expression Language (SpEL) could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies."

Can someone shed more light on this, please ?

2 answers

solution1
 27  2013-03-19 21:32:48

The discovery by Aspect Security was found in January 2013, but the fix that SpringSource published was made available back in 2011 when this was first discovered. Dan Amodio of Aspect Security informed SpringSource about the possibility of remote code execution.

SpringSource updated our security report 12-06-2012 with Aspect Security's finding – but the fix/mitigation listed in the original advisory is still applicable: http://support.springsource.com/security/cve-2011-2730

This vulnerability only affects Spring Framework versions:

• 3.0.0 to 3.0.5 -- upgrading to 3.0.6 here would solve the issue. • 2.5.0 to 2.5.6.SEC02 (community releases) -- upgrading to 2.5.6.SEC03 here would solve the issue. • 2.5.0 to 2.5.7.SR01 (subscription customers) -- upgrading to 2.5.7.SR02 here would solve the issue.

This has been fixed in all versions going forward – the current release of SpringFramework is 3.2, released in Dec 2012.

Thanks,

-Pieter (SpringSource)

solution2
 3 ACCPTED  2012-04-25 05:03:48

Checkout this Aspect Security/Minded Security evaluation of SpEL ( google docs link ) which the article you link to is probably referring (for the specific case of SpEL).

They describe how certain spring JSP tags double evaluate EL expressions. In these cases it may be possible for the user to submit data to the server in the form of SpEL eg as a request parameter with value ${bean.val} (URL encoded) 

http://...?exp=$%7Bbean.val%7D

Inside JSP pages, the expression ${param.exp} will be resolved to the text ${bean.val} which by itself is safe. If however, that expression resides within an attribute of a spring JSTL tag, that resolved value may be evaluated again eg in the spring:message tag: 

<spring:message message="${param.exp}" />

will result in the value ${bean.val} being passed through to the spring:message tag which will evaluate the bean.getVal() method. Hence we now have code submitted by the client and being run on the server.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring SpEL and passing env properties to SpEL method Spring 4 SPEL null injection Spring Spel for roles Spring SpEl and placeholder combination Spel expression spring are there limits for spring SpEL? Spring SpEL error Spring SPEL collection projection Spring SpEL - How to use SpEL to parse a message Spring SpEL Wiring Collection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM