Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2011-2730: Spring Framework Information Disclosure

From: s2-security <s2-security () vmware com>
Date: Fri, 9 Sep 2011 01:40:35 -0700
CVE-2011-2730: Spring Framework Information Disclosure

Severity: Variable depending on application. Likely to be low to moderate, may be important.

Version affected:
3.0.0 to 3.0.5
2.5.0 to 2.5.6.SEC02 (community releases)
2.5.0 to 2.5.7.SR01 (subscription customers)
Earlier, unsupported versions may also be affected

Description:
Prior to JSP 2.0, Expression Language (EL) was not supported. To enable the use of EL in web applications based on 
earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The 
evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for 
EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of 
information. More details, including a complete list of the vulnerable tags and attributes, are available in a paper[1] 
written by the researchers that discovered this issue.

Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}

to a page that contains:
<spring:message code="${param['message']}" text=""/>

will result in output that contains internal server information including the classpath and local working directories. 
Session IDs can be obtained using similar techniques.

Mitigation:
A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing 
behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is 
provided by the container, this should be set to false. Note that for Spring Framework 3.1 onwards when running on a 
Servlet 3.0 or higher container, the correct default will be set automatically. This new attribute is available in:
3.0.6 onwards
2.5.6.SEC03 onwards (community releases)
2.5.7.SR02 (subscription customers)

Credit:
This issue was discovered by Stefano Di Paola, Minded Security and Arshan Dabirsiaghi, Aspect Security.

History:
2011-09-09: Original advisory

References:
[1] http://bit.ly/ExpressionLanguageInjection
[2] http://www.springsource.com/security/cve-2011-2730
Previous By Date Next
Previous By Thread Next

Current thread: