Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1, 2.1.1
-
None
-
Important
Description
Hello XWork developers,
I believe I've discovered a vulnerability that allows attackers to
bypass security measures implemented in ParametersInterceptor. OGNL is
a pretty complex language and provides a lot of features, so, for
example, using expression evaluation
(http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)
it is possible to bypass the '#' protection and modify objects in the
context. So, for instance, to set #session.user to '0wn3d' the
following parameter name can be used:
('\u0023' + 'session[\'user\']')(unused)=0wn3d
which will look as follows once URL encoded:
('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d
I am not sure what's the percentage of users that are actually using
parameter names more complex than foo.bar or foo['bar']/foo[0] , but
if the precentage is low, it may be a good idea to whitelist a set of
characters and only allow parameter names that match the whitelist.
Maybe making this expression configurable to allow for more complex
cases.
Please let me know if you need more information.
Also please credit "Meder Kydyraliev, Google Security Team" in any
advisories relating to this issue.
Thanks,
Meder