Uploaded image for project: 'XWork'
  1. XWork
  2. XW-641

XWork ParameterInterceptors bypass (OGNL statement execution)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1, 2.1.1
    • 2.0.6, 2.1.2
    • Interceptors
    • None
    • Important

    Description

      Hello XWork developers,

      I believe I've discovered a vulnerability that allows attackers to

      bypass security measures implemented in ParametersInterceptor. OGNL is

      a pretty complex language and provides a lot of features, so, for

      example, using expression evaluation

      (http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)

      it is possible to bypass the '#' protection and modify objects in the

      context. So, for instance, to set #session.user to '0wn3d' the

      following parameter name can be used:

      ('\u0023' + 'session[\'user\']')(unused)=0wn3d

      which will look as follows once URL encoded:

      ('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d

      I am not sure what's the percentage of users that are actually using

      parameter names more complex than foo.bar or foo['bar']/foo[0] , but

      if the precentage is low, it may be a good idea to whitelist a set of

      characters and only allow parameter names that match the whitelist.

      Maybe making this expression configurable to allow for more complex

      cases.

      Please let me know if you need more information.

      Also please credit "Meder Kydyraliev, Google Security Team" in any

      advisories relating to this issue.

      Thanks,

      Meder

      Attachments

        Activity

          People

            rainerh Rainer Hermanns
            rainerh Rainer Hermanns
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: