security - Spring "redirect:" EL vulnerability? -


i have public-facing web application uses spring mvc (3.2.x) , spring security (3.1.x). morning observed requests of following form in our access logs:

get /mywebapppath/login.do?redirect:${some url-encoded el code here}

what bug or feature of spring attempting exploit? under conditions spring (or other code) evaluate el expression?

it looks ?redirect: parameter ignored me, makes me nervous because don't know verify i'm not vulnerable. googling has turned unrelated things (as best can tell).

if code inside ${ } had run, have attempted dump contents of /etc/passwd client. (thankfully looks never did run. plus file doesn't exist on our system. , our tomcat runs user limited permissions.)

edit: here actual code inside ${ }, after decoding , adding newlines readability:

#a=(new java.lang.processbuilder(new java.lang.string[]{'cat','/etc/passwd'})).start(), #b=#a.getinputstream(), #c=new java.io.inputstreamreader(#b), #d=new java.io.bufferedreader(#c), #e=new char[50000], #d.read(#e), #matt=#context.get('com.opensymphony.xwork2.dispatcher.httpservletresponse'), #matt.getwriter().println(#e), #matt.getwriter().flush(), #matt.getwriter().close()

es correcto, esta vulnerabilidad es exclusiva de struts 2, y esta documentada como cve-2013-2251. no tienes de que preocuparte con spring mvc.

that's right, vulnerability exclusive struts 2, , is documented cve-2013-2251. not have worry spring mvc.


Comments

Post a Comment

Popular posts from this blog

apache - Remove .php and add trailing slash in url using htaccess not loading css -

i have add following code htaccess file removing .php extension , add trailing slash urls. worked fine reduced page loading speed , css code not loading @ all. pages ugly. please help rewriteengine on rewritebase / ## hide .php extension snippet # externally redirect /dir/foo.php /dir/foo rewritecond %{the_request} ^[a-z]{3,}\s([^.]+)\.php [nc] rewriterule ^ %1/ [r,l] # add trailing slash rewritecond %{request_filename} !-f rewritecond %{request_uri} !/$ rewriterule . %{request_uri}/ [l,r=301] # internally forward /dir/foo /dir/foo.php rewritecond %{request_filename} !-d rewritecond %{request_filename}.php -f rewriterule ^(.*?)/?$ $1.php [l] we can rewrite urls using .htaccess files. before writing in .htaccess files need verify kind of server using. can check server adding a <?php phpinfo(); ?> in php page. ensure mod_rewrite module enabled in apache server. can identified checking phpinfo included page. common methods used url rewriting follows ...
Read more

inno setup - TLabel or TNewStaticText - change .Font.Style on Focus like Cursor changes with .Cursor -

is possible change .font.style on focus tlabel or tnewstatictext happens cursor when use .cursor ? there no built-in support track mouse hovering in inno setup @ time. however, intercepting window procedure of controls can track yourself. following example need innocallback library: [setup] appname=my program appversion=1.5 defaultdirname={pf}\my program outputdir=userdocs:inno setup examples output [files] source: "innocallback.dll"; destdir: "{tmp}"; flags: dontcopy [code] #ifdef unicode #define aw "w" #else #define aw "a" #endif const gwl_wndproc = -4; wm_mousemove = $0200; type wparam = uint_ptr; lparam = longint; lresult = longint; twindowproc = function(hwnd: hwnd; umsg: uint; wparam: wparam; lparam: lparam): lresult; function setcapture(hwnd: hwnd): hwnd; external 'setcapture@user32.dll stdcall'; function releasecapture: bool; external 'releasecapture@user32.dll stdcall'; func...
Read more