lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <C19FEA98C0D18F42B912AB73384528C2187268012C@exch-pub-pd03.vmware.com> Date: Fri, 9 Sep 2011 01:40:35 -0700 From: s2-security <s2-security@...are.com> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: CVE-2011-2730: Spring Framework Information Disclosure CVE-2011-2730: Spring Framework Information Disclosure Severity: Variable depending on application. Likely to be low to moderate, may be important. Version affected: 3.0.0 to 3.0.5 2.5.0 to 2.5.6.SEC02 (community releases) 2.5.0 to 2.5.7.SR01 (subscription customers) Earlier, unsupported versions may also be affected Description: Prior to JSP 2.0, Expression Language (EL) was not supported. To enable the use of EL in web applications based on earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of information. More details, including a complete list of the vulnerable tags and attributes, are available in a paper[1] written by the researchers that discovered this issue. Example: A request of the form: http:///vulnerable.com/foo?message=${applicationScope} to a page that contains: <spring:message code="${param['message']}" text=""/> will result in output that contains internal server information including the classpath and local working directories. Session IDs can be obtained using similar techniques. Mitigation: A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is provided by the container, this should be set to false. Note that for Spring Framework 3.1 onwards when running on a Servlet 3.0 or higher container, the correct default will be set automatically. This new attribute is available in: 3.0.6 onwards 2.5.6.SEC03 onwards (community releases) 2.5.7.SR02 (subscription customers) Credit: This issue was discovered by Stefano Di Paola, Minded Security and Arshan Dabirsiaghi, Aspect Security. History: 2011-09-09: Original advisory References: [1] http://bit.ly/ExpressionLanguageInjection [2] http://www.springsource.com/security/cve-2011-2730 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists