lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 9 Sep 2011 01:40:35 -0700
From: s2-security <s2-security@...are.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
  "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: CVE-2011-2730: Spring Framework Information Disclosure

CVE-2011-2730: Spring Framework Information Disclosure

Severity: Variable depending on application. Likely to be low to moderate, may be important.

Version affected:
3.0.0 to 3.0.5
2.5.0 to 2.5.6.SEC02 (community releases)
2.5.0 to 2.5.7.SR01 (subscription customers)
Earlier, unsupported versions may also be affected

Description:
Prior to JSP 2.0, Expression Language (EL) was not supported. To enable the use of EL in web applications based on earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of information. More details, including a complete list of the vulnerable tags and attributes, are available in a paper[1] written by the researchers that discovered this issue.

Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}

to a page that contains:
<spring:message code="${param['message']}" text=""/>

will result in output that contains internal server information including the classpath and local working directories. Session IDs can be obtained using similar techniques.

Mitigation:
A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is provided by the container, this should be set to false. Note that for Spring Framework 3.1 onwards when running on a Servlet 3.0 or higher container, the correct default will be set automatically. This new attribute is available in:
3.0.6 onwards
2.5.6.SEC03 onwards (community releases)
2.5.7.SR02 (subscription customers)

Credit:
This issue was discovered by Stefano Di Paola, Minded Security and Arshan Dabirsiaghi, Aspect Security.

History:
2011-09-09: Original advisory

References:
[1] http://bit.ly/ExpressionLanguageInjection
[2] http://www.springsource.com/security/cve-2011-2730

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ