A rather dangerous security hole was discovered in Web applications with certain components and configuration, which can be exploited through FreeMarker.
Which systems are affected
Web applications using JSP Model-2 approach to implement MVC (like older versions of Struts and WebWorks) are POSSIBLY vulnerable if the templates have a publicly visitable URL (like http://example.com/foo.ftl). Having such visitable MVC Views, while is a bad practice, doesn't make the application vulnerable in itself, only combined with certain runtime environment settings unrelated to FreeMarker. No more details will be disclosed until FreeMarker 2.3.19 (expected at the end of February, 2012), so users have a chance to secure their applications (see later how). Even if your system is not vulnerable, if you have directly visitable templates, you should apply the fix described below, as similar undiscovered exploits may exist.
This security problem exists regardless of FreeMarker version. FreeMarker 2.3.19 will have a change to block this exploit in some cases, but not in all cases.
How to fix the issue
MVC Views should only be callable by the MVC Controller, even regardless of this security issue. They shouldn't have public URL-s, since they are internal implementation details. Indeed, most of them are dysfunctional without the Controller preparing the data-model.
To fix this, add this to
<!-- Prevent the visiting of MVC Views from outside the servlet container. RequestDispatcher.forward/include should and will still work. Removing this may open security holes! --> <security-constraint> <web-resource-collection> <web-resource-name>FreeMarker MVC Views</web-resource-name> <url-pattern>*.ftl</url-pattern> </web-resource-collection> <auth-constraint> <!-- Nobody is allowed to visit these --> </auth-constraint> </security-constraint>
You have to replace the
This requires Servlet 2.2 or later, and it always should be checked that visiting a template directly indeed gives an error (HTTP 403).
Note: Modern Web application frameworks don't use the request-forwarding approach anymore for FreeMarker views. So possibly you can remove the related servlet declaration altogether, without breaking the application. It happens that it was just left there for no good reason.
Some question that may arise
Q: What can the attacker do?
Q: Why don't you just release all the information now?
Q: But now I don't know if my system is vulnerable!
Q: Why don't you release 2.3.19 as soon as possible?
Q: Is this security issue being actively exploited now?
Found broken link or other problem with this site?
Report to: ddekanyREMOVEME@freemail.hu
(remove the "REMOVEME" from the address)
Page last generated: 2012-03-01 01:35:47 GMT
All content on this page is copyrighted by the FreeMarker project.