Please support our Software Development advertiser: Programming Forums
Featured Entry 
Jul 16th, 2008, 9:00 pm
The Advanced Research Team of security tools vendor Ounce Labs has identified two vulnerabilities in the Spring framework for Java. The vulnerabilities have the potential, the team says, to allow an attacker to “subvert the expected application logic and behavior,” and gain control of an application and access any personal data, credentials or keys held therein.
The vulnerabilities, called “ModelView Injection” and “Data Submission to Non-Editable Fields,” are unlike common flaws such as cross site scripting and SQL injection attacks. “These newly discovered class[es] of vulnerabilities are not security flaws in the framework, but are actually design issues that if not implemented properly expose…applications to attacks,” according to the alert.
SpringSource, sponsor and lead developer of the Spring framework, acknowledges the problem and published a page explaining how to eliminate the threats. In a nutshell, the data submission threat can be prevented by configuring the DataBinder explicitly with the set of fields that are allowed for binding. To do this, SpringSource says to “set the ‘allowedFields’ property on each DataBinder instance you work with in your application.” It also provides examples of how to do this with major Controller implementations.
To determine whether your code has this problem, SpringSource instructs you to review any controller implementations that bind to domain model data. If you’re not setting the allowedFields property, you’re vulnerable depending on context.
To prevent the ModelView issue, which can pop up when data in a client view is the same as the name of a rendered view or a view name maps to internal resources such as file names, “simply never allow the client to select the view name,” which it says is a server-side responsibility.
The vulnerabilities, called “ModelView Injection” and “Data Submission to Non-Editable Fields,” are unlike common flaws such as cross site scripting and SQL injection attacks. “These newly discovered class[es] of vulnerabilities are not security flaws in the framework, but are actually design issues that if not implemented properly expose…applications to attacks,” according to the alert.
SpringSource, sponsor and lead developer of the Spring framework, acknowledges the problem and published a page explaining how to eliminate the threats. In a nutshell, the data submission threat can be prevented by configuring the DataBinder explicitly with the set of fields that are allowed for binding. To do this, SpringSource says to “set the ‘allowedFields’ property on each DataBinder instance you work with in your application.” It also provides examples of how to do this with major Controller implementations.
To determine whether your code has this problem, SpringSource instructs you to review any controller implementations that bind to domain model data. If you’re not setting the allowedFields property, you’re vulnerable depending on context.
To prevent the ModelView issue, which can pop up when data in a client view is the same as the name of a rendered view or a view name maps to internal resources such as file names, “simply never allow the client to select the view name,” which it says is a server-side responsibility.
This blog entry was written by Edward J Correia, staff writer aka EddieC. It has received 708 views, 1 comment, and 6 linkbacks. 1 voter has rated this entry 5 out of 5 stars. It was promoted to featured status Jul 16th, 2008.
•
•
•
•
advice antivirus apple botnet browser business crime daniweb data development dns email encryption exploit forensic fraud google government hacker hacking hardware help information internet iphone linux malware mcafee microsoft mobile news password phishing privacy report research search security software spam spyware terrorism trojan uk virus vista vulnerability web windows worm
All Recent Tags Comments (Newest First)
sanzilla | Light Poster | Jul 24th, 2008
•
•
•
•
anyone knows where to find the white papers about this class of attacks ?
or example exploit code for this ?
or example exploit code for this ?
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Software Development Marketplace
Related Blog Entries
- Ballmer To Apple: Divorce Hardware and Software (22 Hours Ago)
- Google Phone Feeding Frenzy (2 Days Ago)
- The six million dollar World of Warcraft bot (4 Days Ago)
- Flash May Soon Brighten the iPhone (5 Days Ago)
- Q and A with Electric Cloud CEO Mike Maciag (7 Days Ago)
- Unlocked iPhone 3Gs Now at Apple Store (7 Days Ago)
- Apple Updates Its Java VM (8 Days Ago)
- Why did Apple take 5 months to fix 24 security holes in OS X Java? (9 Days Ago)
- New Pint-Sized PC Packs a Punch (15 Days Ago)
- 'Preflight' Your Builds for More Continuous Integration (19 Days Ago)
