Spring velocity projects are vulnerable to injection exploits [SPR-9224] #13862
Assignees
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
Comments
|
Rossen Stoyanchev commented Would you mind creating a sample project that demonstrates the exploit at the issues repo? |
|
whyBish commented Sorry, not a defect. The template we were relying on is doing a velocity evaluate on unescaped input fields. |
|
Rossen Stoyanchev commented Do you mean close the ticket or is it still an issue? |
|
Juergen Hoeller commented Seems like an invalid issue then... |
spring-projects-issues
added
type: bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
whyBish opened SPR-9224 and commented
http://forum.springsource.org/showthread.php?124077-Spring-WebMVC-Velocity-exploit
If an application uses spring-webmvc and a velocity view resolver and have used #springbind everywhere then html will be escaped but velocity will not.
Example exploit text:
#if(true)<stelocity!</strong>#rong>Vend
I can't find any info on how to velocity escape the input. Velocity itself doesn't seem to provide a velocity escaper (it provides html/sql etc). Does one exist or must a custom one be written?
The point to change would seem to be the #springbind definition in spring.vm
Affects: 3.1.1
Reference URL: http://forum.springsource.org/showthread.php?124077-Spring-WebMVC-Velocity-exploit
The text was updated successfully, but these errors were encountered: