[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2011-2730: Spring Framework Information Disclosure

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: CVE-2011-2730: Spring Framework Information Disclosure
From: s2-security <s2-security@xxxxxxxxxx>
Date: Fri, 9 Sep 2011 01:40:35 -0700

CVE-2011-2730: Spring Framework Information Disclosure

Severity: Variable depending on application. Likely to be low to moderate, may 
be important.

Version affected:
3.0.0 to 3.0.5
2.5.0 to 2.5.6.SEC02 (community releases)
2.5.0 to 2.5.7.SR01 (subscription customers)
Earlier, unsupported versions may also be affected

Description:
Prior to JSP 2.0, Expression Language (EL) was not supported. To enable the use 
of EL in web applications based on earlier JSP specifications, some Spring MVC 
tags provide EL support independently of the Servlet/JSP container. The 
evaluation of EL is enabled by default. When used on containers that do support 
EL, the attributes can be evaluated for EL twice. Once by the container and 
once by the tag. This can lead to unexpected results that include disclosure of 
information. More details, including a complete list of the vulnerable tags and 
attributes, are available in a paper[1] written by the researchers that 
discovered this issue.

Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}

to a page that contains:
<spring:message code="${param['message']}" text=""/>

will result in output that contains internal server information including the 
classpath and local working directories. Session IDs can be obtained using 
similar techniques.

Mitigation:
A new context parameter has been added called springJspExpressionSupport. When 
true (the default) the existing behaviour of evaluating EL within the tag will 
be performed. When running in an environment where EL support is provided by 
the container, this should be set to false. Note that for Spring Framework 3.1 
onwards when running on a Servlet 3.0 or higher container, the correct default 
will be set automatically. This new attribute is available in:
3.0.6 onwards
2.5.6.SEC03 onwards (community releases)
2.5.7.SR02 (subscription customers)

Credit:
This issue was discovered by Stefano Di Paola, Minded Security and Arshan 
Dabirsiaghi, Aspect Security.

History:
2011-09-09: Original advisory

References:
[1] http://bit.ly/ExpressionLanguageInjection
[2] http://www.springsource.com/security/cve-2011-2730

Prev by Date: Disassembling .NET Client Challenge
Next by Date: CVE-2011-2732: Spring Security header injection vulnerability
Previous by thread: Disassembling .NET Client Challenge
Next by thread: CVE-2011-2732: Spring Security header injection vulnerability
Index(es):
- Date
- Thread