[Stripes-users] Vulnerability in Stripes

Tue, 29 Apr 2014 03:53:35 -0700 

Hi all,

Fellow Stripers have recently pointed out a pretty scary security flaw in
Stripes. Thanks a lot to them for the reports, we all owe you guys !

In short, it's about using Data Binding to manipulate the application's
ClassLoader, and allows an attacker to execute random code on the server,
or DoS it. Pretty bad stuff to say the least...

It's been discovered first in Struts, and applies to Stripes too. It
affects all released versions.
Some info :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094

If you use @StrictBinding+@Validate everywhere (which you should do anyway,
classLoader manipulation or not), then you're safe : binding to
getClass().getClassLoader() will be denied.

If you don't, then you don't expose your data only : you have this
classLoader manipulation problem too.

Ben has fixed this bug for 1.5.8-SNAPSHOT and 1.6.0-SNAPSHOT, so future
releases will be safe.
https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a

We have released a hotfix over 1.5.7 :

http://repo1.maven.org/maven2/net/sourceforge/stripes/stripes/1.5.7-classloaderfix/

        <dependency>
            <groupId>net.sourceforge.stripes</groupId>
            <artifactId>stripes</artifactId>
            <version>1.5.7-classloaderfix</version>
        </dependency>

It's just a 1.5.7 rebuilt with Ben's fix for the classLoader issue. It is a
private, implementation fix (no API changed), so there should be no
regressions.

We encourage everybody to upgrade ASAP.

Cheers

RĂ©mi - on behalf of the dev. team.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users

Reply via email to