| ~~ $Id$ |
| ~~ |
| ~~ Licensed to the Apache Software Foundation (ASF) under one |
| ~~ or more contributor license agreements. See the NOTICE file |
| ~~ distributed with this work for additional information |
| ~~ regarding copyright ownership. The ASF licenses this file |
| ~~ to you under the Apache License, Version 2.0 (the |
| ~~ "License"); you may not use this file except in compliance |
| ~~ with the License. You may obtain a copy of the License at |
| ~~ |
| ~~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~~ |
| ~~ Unless required by applicable law or agreed to in writing, |
| ~~ software distributed under the License is distributed on an |
| ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~~ KIND, either express or implied. See the License for the |
| ~~ specific language governing permissions and limitations |
| ~~ under the License. |
| ~~ |
| ----------- |
| Security bulletin 1 |
| ----------- |
| |
| Security bulletin 1 |
| |
| * Summary |
| |
| EL expressions in JSP using some Tiles JSP tags are evaluated twice. |
| |
| *-------------------------+-----------+ |
| | Who should read this | All Tiles 2.1 developers | |
| *-------------------------+-----------+ |
| | Impact of vulnerability | Remote server context exposure | |
| *-------------------------+-----------+ |
| | Maximum security rating | High (read-only exposure) | |
| *-------------------------+-----------+ |
| | Recommendation | Developers should not install Tiles 2.1.1 under a production environment, | |
| | | upgrade to Tiles 2.1.2 | |
| *-------------------------+-----------+ |
| | Affected Software | Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe) | |
| *-------------------------+-----------+ |
| | Original JIRA Ticket | {{{https://issues.apache.org/jira/browse/TILES-351}TILES-351}} | |
| *-------------------------+-----------+ |
| | Reporter | Antonio Petrelli (Tiles PMC member) | |
| *-------------------------+-----------+ |
| |
| * Problem |
| |
| Tiles 2.1.x allows, with the |
| {{{../tutorial/advanced/el-support.html}correct configuration}}, |
| to use EL expressions in Tiles configuration files. |
| |
| The problem is that, if attribute values or templates are defined using |
| some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression |
| is evaluated twice, one by the container, one by the ELAttributeEvaluator |
| class. |
| |
| Now, if at the first evaluation the EL expression is connected to a |
| user-entered content, it could be maliciously exploited to access the |
| server context. |
| |
| Therefore, there could be an unwanted exposure of server data or XSS attacks. |
| |
| * Solution |
| |
| The API and the core have been modified to separate the expression evaluation |
| from the attribute/template manipulation made by JSP tags in a safe way. |
| |
| Since Tiles 2.1.1 is still in beta, the recommendation is not to install it |
| in a production environment. A release, in this case, is not necessary. |
| Experimenter can download the latest version of Tiles from the |
| {{{http://svn.apache.org/repos/asf/tiles/framework/trunk/}SVN repository}}. |