Vulnerability in Stripes

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability in Stripes

VANKEISBELCK Remi
Hi all,

Fellow Stripers have recently pointed out a pretty scary security flaw in Stripes. Thanks a lot to them for the reports, we all owe you guys ! 

In short, it's about using Data Binding to manipulate the application's ClassLoader, and allows an attacker to execute random code on the server, or DoS it. Pretty bad stuff to say the least...

It's been discovered first in Struts, and applies to Stripes too. It affects all released versions.
Some info :

If you use @StrictBinding+@Validate everywhere (which you should do anyway, classLoader manipulation or not), then you're safe : binding to getClass().getClassLoader() will be denied.

If you don't, then you don't expose your data only : you have this classLoader manipulation problem too.

Ben has fixed this bug for 1.5.8-SNAPSHOT and 1.6.0-SNAPSHOT, so future releases will be safe.

We have released a hotfix over 1.5.7 :


        <dependency>
            <groupId>net.sourceforge.stripes</groupId>
            <artifactId>stripes</artifactId>
            <version>1.5.7-classloaderfix</version>
        </dependency>

It's just a 1.5.7 rebuilt with Ben's fix for the classLoader issue. It is a private, implementation fix (no API changed), so there should be no regressions.

We encourage everybody to upgrade ASAP. 

Cheers

Rémi - on behalf of the dev. team.


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability in Stripes

Ben Gunter
I have one thing to add. While it would be best to upgrade to this hotfix release for now, if you can't do that and you're on Stripes 1.5.x and you're not already using @StrictBinding then you can add this annotation to your base ActionBean(s) to mitigate the issue.

@StrictBinding(defaultPolicy = Policy.ALLOW, deny = "class.**,**.class.**")

This will prevent access to the class loader via the "class" property. If there are other paths to the class loader, they can be addressed similarly.

-Ben


On Tue, Apr 29, 2014 at 6:51 AM, VANKEISBELCK Remi <[hidden email]> wrote:
Hi all,

Fellow Stripers have recently pointed out a pretty scary security flaw in Stripes. Thanks a lot to them for the reports, we all owe you guys ! 

In short, it's about using Data Binding to manipulate the application's ClassLoader, and allows an attacker to execute random code on the server, or DoS it. Pretty bad stuff to say the least...

It's been discovered first in Struts, and applies to Stripes too. It affects all released versions.
Some info :

If you use @StrictBinding+@Validate everywhere (which you should do anyway, classLoader manipulation or not), then you're safe : binding to getClass().getClassLoader() will be denied.

If you don't, then you don't expose your data only : you have this classLoader manipulation problem too.

Ben has fixed this bug for 1.5.8-SNAPSHOT and 1.6.0-SNAPSHOT, so future releases will be safe.

We have released a hotfix over 1.5.7 :


        <dependency>
            <groupId>net.sourceforge.stripes</groupId>
            <artifactId>stripes</artifactId>
            <version>1.5.7-classloaderfix</version>
        </dependency>

It's just a 1.5.7 rebuilt with Ben's fix for the classLoader issue. It is a private, implementation fix (no API changed), so there should be no regressions.

We encourage everybody to upgrade ASAP. 

Cheers

Rémi - on behalf of the dev. team.


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development



------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development