Source document: http://www.ouncelabs.com/springmvc
Spring MVC vulnerability FAQ * What is the technical problem? The Ounce report describes two issues that can affect Spring web applications. Both issues result from usage of the Web MVC module of the Spring Framework, and are not the result of bugs or design flaws in the framework. The first issue is called Data Submission to Non-Editable Fields. This issue can arise with the unconfigured use of Spring's DataBinder. The second issue is called ModelView Injection. This issue can arise when data provided in a client request is used directly as the name of a view. * How serious can the exposure be? The Data Submission to Non-Editable Fields issue can result when using Spring's DataBinder to bind client request data to server-side model objects, aka "command" objects. By default, a WebDataBinder will attempt to bind all parameters provided in a HttpServletRequest. With this default enabled, a malicious client could modify or add parameters to the posted form data, which could result in model object properties being updated unexpectedly or out of sequence. For applications that bind request data to presentation-layer "form models", this is unlikely to be a problem since there is a one-to-one correspondence between a form backing object and a set of allowed request parameters. This issue is only relevant for applications that bind directly to a domain model which exposes properties that should not be updated by the client. This problem can manifest itself anywhere the Spring DataBinder is used to bind to a domain model, which includes inside SimpleFormController, MultiActionController, @Controller, and AbstractWizardFormController implementations. The ModelView Injection issue can result when data provided in a client request is used directly as the name of a view to render. If a view names map to internal resources such as a files in the web application file system, a malicious client could gain access to to protected web application resources such as web.xml. * How do I fix the problem? To prevent the Data Submission to Non-Editable Fields issue from occurring, the DataBinder should be configured explicitly with the set of fields that are allowed for binding. To do this, set the "allowedFields" property on each DataBinder instance you work with in your application. Below is an example of how to do this with each major Controller implementation: * SimpleFormController - Override initBinder(HttpServletRequest, ServletRequestDataBinder) and call setAllowedFields(String[]) on the provided ServletRequestDataBinder instance. * MultiActionController - Call setAllowedFields on any ServltRequestDataBinder instance you instantiate locally within a handler method body. * @Controller - Use the @InitBinder annotation to inject a WebDataBinder into a method used to configure it explicitly. Call setAllowedFields(String []) to restrict the fields allowed for that Controller class. If the set of allowedFields needs to vary per handler method, have your @InitBinder method accept a HttpServletRequest and key off the current request mapping. * AbstractWizardFormController - Override initBinder(HttpServletRequest, ServletRequestDataBinder) and call setAllowedFields(String[]) on the provided DataBinder instance. Call getCurrentPage(HttpServletRequest) to configure the set of allowed fields per page. To prevent the ModelView Injection issue from occurring, simply never allow the client to select the view name. View name selection is a server-side responsibility. * How do I check to see if I have this problem? Review your pre-existing controller implementations that bind to domain model data. If you are not setting the allowedFields property, you will be vulnerable to this issue. Whether or not the vulnerability exposes a security threat depends on the context. * How can SpringSource help with fixing this problem? SpringSource engineers and consultants are committed to fixing bugs, maintaining the code base and educating the user community about best practices for all the different projects in the Spring Portfolio, including Spring MVC. Bug fixes and solutions to security vulnerabilities are made available to the Spring user community via periodic code releases for all projects. SpringSource <http://springsource.com/products/enterprise> Enterprise customers receive access to tools, patches and support to address security vulnerabilities as well as advance notice security advisories. [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] Email: [EMAIL PROTECTED] PingMe: <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
