[jira] Commented: (WW-2107) Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker

Mon, 13 Aug 2007 14:28:57 -0700 

    [ 
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41825
 ] 

Don Brown commented on WW-2107:
-------------------------------

I thought about that as well, but it wouldn't help.  For one thing, we would 
have to block the string '%{' anywhere in the submitted data, which is very 
intrusive, but the kicker is it wouldn't block other attacks.  For example, any 
attribute that evaluations to a non-string value is automatically evaluated as 
OGNL with no '%{}' delimiter necessary.  Therefore, blocking '%{}' would help 
some cases, but still leave you open for attack in others.

> Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker
> ----------------------------------------------------------------------
>
>                 Key: WW-2107
>                 URL: https://issues.apache.org/struts/browse/WW-2107
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Views
>    Affects Versions: 2.0.9
>            Reporter: Don Brown
>            Priority: Blocker
>             Fix For: 2.0.10
>
>
> It is possible for a user to submit malicious OGNL that could be executed in 
> a page that uses JSP EL expressions in Struts tag attributes.  FreeMarker 
> pages that use FreeMarker expressions in Struts tag attributes are also 
> affected. Velocity pages are not affected.
> For example, say you had this JSP page fragement:
> <s:text name="foo" value="${bar}" />
> And a user submitted, via a validation error or request url query parameter, 
> the value:
> bar=%{1+1}
> What happens is the JSP processor gets the page first and processes the JSP 
> EL expression resulting in:
> <s:text name="foo" value="%{1+1}" />
> Then, the Struts 2 tag receives the 'value' attribute value and processes the 
> OGNL expression, resulting in this:
> <input type="text" name="foo" value="2" />
> The workaround is to ensure you don't use JSP EL or FreeMarker expressions in 
> Struts tag attributes because you could be unwittingly allowing arbitrary 
> code execution.
> The proposed solution is to turn off, via the TLD, JSP EL expressions in all 
> Struts tag attributes.  This will mostly likely break many Struts 2 
> applications, but the severity of the issue needs to be taken into account.  
> This solution doesn't unfortunately resolve the FreeMarker issue.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to