Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Expression Language Injection

From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Mon, 12 Sep 2011 12:55:37 +0200
Guys,
someone may be interested in this Spring MVC related paper
(CVE-2011-2730) "Expression Language Injection":
http://blog.mindedsecurity.com/2011/09/expression-language-injection.html

Vulnerable app and server side examples:
http://68.169.49.40:18080/ELInjection/demo.htm

Client side Poc example:
http://www.wisec.it/spring/springopt.html

Official fix/statement from SpringSource:
http://www.springsource.com/security/cve-2011-

Cheers,
Stefano

Ps. sorry for cross post :)

-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
Work: http://www.mindedsecurity.com
Blog: http://blog.mindedsecurity.com
..................

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: