You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Al Sutton <al...@funkyandroid.com> on 2008/12/30 10:12:39 UTC
2.1.4 Quality - XWork/OGNL issue
The previous problems are fixed, but there looks like there might be a
potential issue with XWork and/or OGNL....
I use displaytag and when paging through the URL is something like;
http://localhost/AndroidPhoneApplications/subs/?d-16387-p=3
When paging through with 2.1.4 I get an exception from XWork/OGNL which
says;
ognl.InappropriateExpressionException: Inappropriate OGNL expression: (d
- 16387) - p
I don't get this with 2.1.2, so is attempts to evaluate GET parameter
names a new thing with 2.1.4?
imho Xwork/OGNL shouldn't be evaluating either the name or the value of
a POST or GET parameter because they are user submitted and there maybe
something which the application needs to process but is in an form that
OGNL "changes", and hence a lot of confusion could be caused.
Al.
P.S. I don't know if it's happening with POST parameters as well.
--
======
Funky Android Limited is registered in England & Wales with the
company number 6741909. The registered head office is Kemp House,
152-160 City Road, London, EC1V 2NX, UK.
The views expressed in this email are those of the author and not
necessarily those of Funky Android Limited, it's associates, or it's
subsidiaries.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.4 Quality - XWork/OGNL issue
Posted by Al Sutton <al...@funkyandroid.com>.
OK, now I'm confused.
It looks like I may have had some jars from 2.1.2 lurking around because
I've just restarted eclipse, re-put in the 2.1.4 jars and there's no
exception.
Sorry for the false alarm.
Al.
Musachy Barroso wrote:
> Does it just log the exception and keeps going, or it breaks? Can you
> post the stacktrace? AFAIK the parameters are always evaluated,
> otherwise params like person[1].name would never be populated.
>
> musachy
>
> On Tue, Dec 30, 2008 at 4:12 AM, Al Sutton <al...@funkyandroid.com> wrote:
>
>> The previous problems are fixed, but there looks like there might be a
>> potential issue with XWork and/or OGNL....
>>
>> I use displaytag and when paging through the URL is something like;
>>
>> http://localhost/AndroidPhoneApplications/subs/?d-16387-p=3
>>
>> When paging through with 2.1.4 I get an exception from XWork/OGNL which
>> says;
>>
>> ognl.InappropriateExpressionException: Inappropriate OGNL expression: (d -
>> 16387) - p
>>
>> I don't get this with 2.1.2, so is attempts to evaluate GET parameter names
>> a new thing with 2.1.4?
>>
>> imho Xwork/OGNL shouldn't be evaluating either the name or the value of a
>> POST or GET parameter because they are user submitted and there maybe
>> something which the application needs to process but is in an form that OGNL
>> "changes", and hence a lot of confusion could be caused.
>>
>> Al.
>>
>> P.S. I don't know if it's happening with POST parameters as well.
>>
>> --
>> ======
>> Funky Android Limited is registered in England & Wales with the company
>> number 6741909. The registered head office is Kemp House, 152-160 City
>> Road, London, EC1V 2NX, UK.
>> The views expressed in this email are those of the author and not
>> necessarily those of Funky Android Limited, it's associates, or it's
>> subsidiaries.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>>
>
>
>
>
--
======
Funky Android Limited is registered in England & Wales with the
company number 6741909. The registered head office is Kemp House,
152-160 City Road, London, EC1V 2NX, UK.
The views expressed in this email are those of the author and not
necessarily those of Funky Android Limited, it's associates, or it's
subsidiaries.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.4 Quality - XWork/OGNL issue
Posted by Musachy Barroso <mu...@gmail.com>.
There were multiple vulnerabilities related to that, and they should
be under control now. Static methods are not allowed, and parameters
binding runs on an empty stack, so there is no access to #session,
#application, or anything else for that matter. Here are some tickets
related to that:
http://jira.opensymphony.com/browse/XW-641
http://issues.apache.org/struts/browse/WW-2761
See ParametersInterceptorTest for the tests.
musachy
On Tue, Dec 30, 2008 at 12:29 PM, Al Sutton <al...@funkyandroid.com> wrote:
> That was kind of my concern too.I can understand simple object
> de-referencing taking place (e.g. person[1].name), but expression evaluation
> (e.g. person[1].gobbleUpMemory()+person[2].gobbleUpMemory()) does seem
> potentially dangerous.
>
> Al.
>
> Chris Pratt wrote:
>>
>> I've seen it as well on 2.1.2 since I upgraded DisplayTag to 1.2. It
>> appears to log the exception and continue, but my concern would be we have
>> another vector for attack. Knowing that the system is going to evaluate
>> the
>> name of, at least, GET variables using OGNL, it would probably be possible
>> to inject some OGNL that will compromise the security of sites built on
>> the
>> framework.
>> (*Chris*)
>>
>> On Tue, Dec 30, 2008 at 6:16 AM, Musachy Barroso <mu...@gmail.com>
>> wrote:
>>
>>
>>>
>>> Does it just log the exception and keeps going, or it breaks? Can you
>>> post the stacktrace? AFAIK the parameters are always evaluated,
>>> otherwise params like person[1].name would never be populated.
>>>
>>> musachy
>>>
>>> On Tue, Dec 30, 2008 at 4:12 AM, Al Sutton <al...@funkyandroid.com> wrote:
>>>
>>>>
>>>> The previous problems are fixed, but there looks like there might be a
>>>> potential issue with XWork and/or OGNL....
>>>>
>>>> I use displaytag and when paging through the URL is something like;
>>>>
>>>> http://localhost/AndroidPhoneApplications/subs/?d-16387-p=3
>>>>
>>>> When paging through with 2.1.4 I get an exception from XWork/OGNL which
>>>> says;
>>>>
>>>> ognl.InappropriateExpressionException: Inappropriate OGNL expression: (d
>>>>
>>>
>>> -
>>>
>>>>
>>>> 16387) - p
>>>>
>>>> I don't get this with 2.1.2, so is attempts to evaluate GET parameter
>>>>
>>>
>>> names
>>>
>>>>
>>>> a new thing with 2.1.4?
>>>>
>>>> imho Xwork/OGNL shouldn't be evaluating either the name or the value of
>>>> a
>>>> POST or GET parameter because they are user submitted and there maybe
>>>> something which the application needs to process but is in an form that
>>>>
>>>
>>> OGNL
>>>
>>>>
>>>> "changes", and hence a lot of confusion could be caused.
>>>>
>>>> Al.
>>>>
>>>> P.S. I don't know if it's happening with POST parameters as well.
>>>>
>>>> --
>>>> ======
>>>> Funky Android Limited is registered in England & Wales with the company
>>>> number 6741909. The registered head office is Kemp House, 152-160 City
>>>> Road, London, EC1V 2NX, UK.
>>>> The views expressed in this email are those of the author and not
>>>> necessarily those of Funky Android Limited, it's associates, or it's
>>>> subsidiaries.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>>
>>>>
>>>>
>>>
>>> --
>>> "Hey you! Would you help me to carry the stone?" Pink Floyd
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>>
>>
>>
>
>
> --
> ======
> Funky Android Limited is registered in England & Wales with the company
> number 6741909. The registered head office is Kemp House, 152-160 City
> Road, London, EC1V 2NX, UK.
> The views expressed in this email are those of the author and not
> necessarily those of Funky Android Limited, it's associates, or it's
> subsidiaries.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.4 Quality - XWork/OGNL issue
Posted by Al Sutton <al...@funkyandroid.com>.
That was kind of my concern too.I can understand simple object
de-referencing taking place (e.g. person[1].name), but expression
evaluation (e.g. person[1].gobbleUpMemory()+person[2].gobbleUpMemory())
does seem potentially dangerous.
Al.
Chris Pratt wrote:
> I've seen it as well on 2.1.2 since I upgraded DisplayTag to 1.2. It
> appears to log the exception and continue, but my concern would be we have
> another vector for attack. Knowing that the system is going to evaluate the
> name of, at least, GET variables using OGNL, it would probably be possible
> to inject some OGNL that will compromise the security of sites built on the
> framework.
> (*Chris*)
>
> On Tue, Dec 30, 2008 at 6:16 AM, Musachy Barroso <mu...@gmail.com> wrote:
>
>
>> Does it just log the exception and keeps going, or it breaks? Can you
>> post the stacktrace? AFAIK the parameters are always evaluated,
>> otherwise params like person[1].name would never be populated.
>>
>> musachy
>>
>> On Tue, Dec 30, 2008 at 4:12 AM, Al Sutton <al...@funkyandroid.com> wrote:
>>
>>> The previous problems are fixed, but there looks like there might be a
>>> potential issue with XWork and/or OGNL....
>>>
>>> I use displaytag and when paging through the URL is something like;
>>>
>>> http://localhost/AndroidPhoneApplications/subs/?d-16387-p=3
>>>
>>> When paging through with 2.1.4 I get an exception from XWork/OGNL which
>>> says;
>>>
>>> ognl.InappropriateExpressionException: Inappropriate OGNL expression: (d
>>>
>> -
>>
>>> 16387) - p
>>>
>>> I don't get this with 2.1.2, so is attempts to evaluate GET parameter
>>>
>> names
>>
>>> a new thing with 2.1.4?
>>>
>>> imho Xwork/OGNL shouldn't be evaluating either the name or the value of a
>>> POST or GET parameter because they are user submitted and there maybe
>>> something which the application needs to process but is in an form that
>>>
>> OGNL
>>
>>> "changes", and hence a lot of confusion could be caused.
>>>
>>> Al.
>>>
>>> P.S. I don't know if it's happening with POST parameters as well.
>>>
>>> --
>>> ======
>>> Funky Android Limited is registered in England & Wales with the company
>>> number 6741909. The registered head office is Kemp House, 152-160 City
>>> Road, London, EC1V 2NX, UK.
>>> The views expressed in this email are those of the author and not
>>> necessarily those of Funky Android Limited, it's associates, or it's
>>> subsidiaries.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>>
>>
>> --
>> "Hey you! Would you help me to carry the stone?" Pink Floyd
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>>
>
>
--
======
Funky Android Limited is registered in England & Wales with the
company number 6741909. The registered head office is Kemp House,
152-160 City Road, London, EC1V 2NX, UK.
The views expressed in this email are those of the author and not
necessarily those of Funky Android Limited, it's associates, or it's
subsidiaries.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.4 Quality - XWork/OGNL issue
Posted by Chris Pratt <th...@gmail.com>.
I've seen it as well on 2.1.2 since I upgraded DisplayTag to 1.2. It
appears to log the exception and continue, but my concern would be we have
another vector for attack. Knowing that the system is going to evaluate the
name of, at least, GET variables using OGNL, it would probably be possible
to inject some OGNL that will compromise the security of sites built on the
framework.
(*Chris*)
On Tue, Dec 30, 2008 at 6:16 AM, Musachy Barroso <mu...@gmail.com> wrote:
> Does it just log the exception and keeps going, or it breaks? Can you
> post the stacktrace? AFAIK the parameters are always evaluated,
> otherwise params like person[1].name would never be populated.
>
> musachy
>
> On Tue, Dec 30, 2008 at 4:12 AM, Al Sutton <al...@funkyandroid.com> wrote:
> > The previous problems are fixed, but there looks like there might be a
> > potential issue with XWork and/or OGNL....
> >
> > I use displaytag and when paging through the URL is something like;
> >
> > http://localhost/AndroidPhoneApplications/subs/?d-16387-p=3
> >
> > When paging through with 2.1.4 I get an exception from XWork/OGNL which
> > says;
> >
> > ognl.InappropriateExpressionException: Inappropriate OGNL expression: (d
> -
> > 16387) - p
> >
> > I don't get this with 2.1.2, so is attempts to evaluate GET parameter
> names
> > a new thing with 2.1.4?
> >
> > imho Xwork/OGNL shouldn't be evaluating either the name or the value of a
> > POST or GET parameter because they are user submitted and there maybe
> > something which the application needs to process but is in an form that
> OGNL
> > "changes", and hence a lot of confusion could be caused.
> >
> > Al.
> >
> > P.S. I don't know if it's happening with POST parameters as well.
> >
> > --
> > ======
> > Funky Android Limited is registered in England & Wales with the company
> > number 6741909. The registered head office is Kemp House, 152-160 City
> > Road, London, EC1V 2NX, UK.
> > The views expressed in this email are those of the author and not
> > necessarily those of Funky Android Limited, it's associates, or it's
> > subsidiaries.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
>
>
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: 2.1.4 Quality - XWork/OGNL issue
Posted by Musachy Barroso <mu...@gmail.com>.
Does it just log the exception and keeps going, or it breaks? Can you
post the stacktrace? AFAIK the parameters are always evaluated,
otherwise params like person[1].name would never be populated.
musachy
On Tue, Dec 30, 2008 at 4:12 AM, Al Sutton <al...@funkyandroid.com> wrote:
> The previous problems are fixed, but there looks like there might be a
> potential issue with XWork and/or OGNL....
>
> I use displaytag and when paging through the URL is something like;
>
> http://localhost/AndroidPhoneApplications/subs/?d-16387-p=3
>
> When paging through with 2.1.4 I get an exception from XWork/OGNL which
> says;
>
> ognl.InappropriateExpressionException: Inappropriate OGNL expression: (d -
> 16387) - p
>
> I don't get this with 2.1.2, so is attempts to evaluate GET parameter names
> a new thing with 2.1.4?
>
> imho Xwork/OGNL shouldn't be evaluating either the name or the value of a
> POST or GET parameter because they are user submitted and there maybe
> something which the application needs to process but is in an form that OGNL
> "changes", and hence a lot of confusion could be caused.
>
> Al.
>
> P.S. I don't know if it's happening with POST parameters as well.
>
> --
> ======
> Funky Android Limited is registered in England & Wales with the company
> number 6741909. The registered head office is Kemp House, 152-160 City
> Road, London, EC1V 2NX, UK.
> The views expressed in this email are those of the author and not
> necessarily those of Funky Android Limited, it's associates, or it's
> subsidiaries.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org