Spring "redirect:" EL vulnerability?

Question

I have a public-facing web application that uses Spring MVC (3.2.x) and Spring Security (3.1.x). This morning I observed requests of the following form in our access logs:

GET /MyWebAppPath/login.do?redirect:${Some URL-encoded EL code here}

What bug or feature of Spring was this attempting to exploit? Under what conditions would Spring (or some other code) evaluate that EL expression?

It looks like the ?redirect: parameter was ignored for me, but it makes me nervous because I don't know where to look to verify that I'm not vulnerable. All my Googling has turned up unrelated things (as best I can tell).

If that code inside the ${ } had actually run, it would have attempted to dump the contents of /etc/passwd to the client. (Thankfully it looks like it never did run. Plus that file doesn't exist on our system. And our Tomcat runs as a user with limited permissions.)

---

EDIT: Here is the actual code that was inside the ${ }, after decoding and adding newlines to help readability:

#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
#matt.getWriter().println(#e),
#matt.getWriter().flush(),
#matt.getWriter().close()

Answer 1

Es correcto, esta vulnerabilidad es exclusiva de Struts 2, y esta documentada como CVE-2013-2251. No tienes de que preocuparte con SPRING MVC.

That's right, this vulnerability is exclusive to Struts 2, and is documented as CVE-2013-2251. You do not have to worry with Spring MVC.