Secure Coding mailing list archives
Expression Language Injection
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Mon, 12 Sep 2011 12:55:37 +0200
Guys, someone may be interested in this Spring MVC related paper (CVE-2011-2730) "Expression Language Injection": http://blog.mindedsecurity.com/2011/09/expression-language-injection.html Vulnerable app and server side examples: http://68.169.49.40:18080/ELInjection/demo.htm Client side Poc example: http://www.wisec.it/spring/springopt.html Official fix/statement from SpringSource: http://www.springsource.com/security/cve-2011- Cheers, Stefano Ps. sorry for cross post :) -- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it Twitter: http://twitter.com/WisecWisec Work: http://www.mindedsecurity.com Blog: http://blog.mindedsecurity.com .................. _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Expression Language Injection Stefano Di Paola (Sep 12)