You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just like spring el\ognl\jstl,alibba QLexpress alse allow programmer to directly call the Java Object to execute the method using the java reflection mechanism,
but there is no any security restrictions that rise a security risk while editing rules, just like that poc:
so,that cause a remote code execution;
Although it is a feature, there are security risks in design.
fix:
Use java.lang.SecurityManager to protected JVM;
Prevent against by blacklist(Runtime\ ScriptEngine\FileAccess...);
Your suggestions is very good,currently QlExpress is just a tool,it can do every things by calling java reflection methods.
As a El user and the application's owner,You should forbidden some words before calling EL executor.
By the way, I will also add a forbidden words feature in the project.
Just like spring el\ognl\jstl,alibba QLexpress alse allow programmer to directly call the Java Object to execute the method using the java reflection mechanism,
but there is no any security restrictions that rise a security risk while editing rules, just like that poc:
so,that cause a remote code execution;
Although it is a feature, there are security risks in design.
fix:
see more at:
https://wooyun.js.org/drops/%E4%B8%80%E7%A7%8D%E6%96%B0%E7%9A%84%E6%94%BB%E5%87%BB%E6%96%B9%E6%B3%95%E2%80%94%E2%80%94Java-Web-Expression-Language-Injection.html
https://www.owasp.org/index.php/Expression_Language_Injection
http://danamodio.com/tag/expression-language-injection/
https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf
@baoxingjie
The text was updated successfully, but these errors were encountered: