CVE-2011-2730: Spring Framework Information Disclosure

Severity: Variable depending on application. Likely to be low to moderate, may be important.

Version affected:
3.0.0 to 3.0.5
2.5.0 to 2.5.6.SEC02 (community releases)
2.5.0 to 2.5.7.SR01 (subscription customers)
Earlier, unsupported versions may also be affected

Description:
Prior to JSP 2.0, Expression Language (EL) was not supported. To enable the use of EL in web applications based on earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of information. More details, including a complete list of the vulnerable tags and attributes, are available in a paper[1] written by the researchers that discovered this issue.

Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}

to a page that contains:
<spring:message code="${param['message']}" text=""/>

will result in output that contains internal server information including the classpath and local working directories. Session IDs can be obtained using similar techniques.

Mitigation:
A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is provided by the container, this should be set to false. Note that for Spring Framework 3.1 onwards when running on a Servlet 3.0 or higher container, the correct default will be set automatically. This new attribute is available in:
3.0.6 onwards
2.5.6.SEC03 onwards (community releases)
2.5.7.SR02 (subscription customers)

Credit:
This issue was discovered by Stefano Di Paola, Minded Security and Arshan Dabirsiaghi, Aspect Security.

History:
2011-09-09: Original advisory

References:
[1] http://bit.ly/ExpressionLanguageInjection
[2] http://www.springsource.com/security/cve-2011-2730