The Advanced Research Team of security tools vendor Ounce Labs has identified two vulnerabilities in the Spring framework for Java. The vulnerabilities have the potential, the team says, to allow an attacker to “subvert the expected application logic and behavior,” and gain control of an application and access any personal data, credentials or keys held therein.
The vulnerabilities, called “ModelView Injection” and “Data Submission to Non-Editable Fields,” are unlike common flaws such as cross site scripting and SQL injection attacks. “These newly discovered class[es] of vulnerabilities are not security flaws in the framework, but are actually design issues that if not implemented properly expose…applications to attacks,” according to the alert.
SpringSource, sponsor and lead developer of the Spring framework, acknowledges the problem and published a page explaining how to eliminate the threats. In a nutshell, the data submission threat can be prevented by configuring the DataBinder explicitly with the set of fields that are allowed for binding. To do this, SpringSource says to “set the ‘allowedFields’ property on each DataBinder instance you work with in your application.” It also provides examples of how to do this with major Controller implementations.
To determine whether your code has this problem, SpringSource instructs you to review any controller implementations that bind to domain model data. If you’re not setting the allowedFields property, you’re vulnerable depending on context.
To prevent the ModelView issue, which can pop up when data in a client view is the same as the name of a rendered view or a view name maps to internal resources such as file names, “simply never allow the client to select the view name,” which it says is a server-side responsibility.