Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spring velocity projects are vulnerable to injection exploits [SPR-9224] #13862

Closed
spring-projects-issues opened this issue Mar 11, 2012 · 4 comments
Assignees
Labels
in: web

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Mar 11, 2012

whyBish opened SPR-9224 and commented

http://forum.springsource.org/showthread.php?124077-Spring-WebMVC-Velocity-exploit

If an application uses spring-webmvc and a velocity view resolver and have used #springbind everywhere then html will be escaped but velocity will not.
Example exploit text:
#if(true)<stelocity!</strong>#rong>Vend

I can't find any info on how to velocity escape the input. Velocity itself doesn't seem to provide a velocity escaper (it provides html/sql etc). Does one exist or must a custom one be written?
The point to change would seem to be the #springbind definition in spring.vm


Affects: 3.1.1

Reference URL: http://forum.springsource.org/showthread.php?124077-Spring-WebMVC-Velocity-exploit

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 12, 2012

Rossen Stoyanchev commented

Would you mind creating a sample project that demonstrates the exploit at the issues repo?

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 12, 2012

whyBish commented

Sorry, not a defect. The template we were relying on is doing a velocity evaluate on unescaped input fields.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 13, 2012

Rossen Stoyanchev commented

Do you mean close the ticket or is it still an issue?

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 16, 2013

Juergen Hoeller commented

Seems like an invalid issue then...

@spring-projects-issues spring-projects-issues added type: bug in: web labels Jan 11, 2019
@spring-projects-issues spring-projects-issues removed the type: bug label Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web
Projects
None yet
Development

No branches or pull requests

2 participants