CVE-2010-3700 - Spring Security - Bypassing of security constraints
Severity:
Important
Vendor:
SpringSource, a division of VMware
Versions affected:
Spring Security 3.0.0 to 3.0.3
Spring Security 2.0.0 t0 2.0.5
Acegi Security 1.0.0 to 1.0.7
Description:
Spring Security does not consider URL path parameters when processing security constraints. By adding an URL path parameter to a request, an attacker may be able
to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see
below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by
getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert
group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo().
Users of SpringSource tc Server (all versions) are not affected. tc Server uses Apache Tomcat and does not change the handling of path parameters.
Users of SpringSource dm Server (all versions) are not affected. dm Server uses Apache Tomcat and does not change the handling of path parameters.
Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified.
Users of Geronimo 2.2 with Jetty 7 are not affected.
Users of IBM WebSphere Application Server 6.1 and 7.0 are known to be affected.
Users of other containers that implement the Servlet specification may be affected.
Mitigation:
Adopting one of the following mitigations will protect against this vulnerability
Example:
An application that uses the following intercept URL pattern:
<intercept-url pattern="/*-add.do" access="PERMISSION_ADMIN"/>
to protect URLs such as:
/myapp/account-add.do
can be exploited by an attacker that uses a URL of the form:
/ctx/account-add.do;x=-pub.do
Credit:
This issue was discovered and reported to the SpringSource security team
by Ed Schaller.
Path parameters and the Servlet Specification:
This discussion applies to versions 2.3, 2.4, 2.5 & 3.0 of the Servlet Specification.
The Servlet Specification defines the following:
requestURI = contextPath + servletPath + pathInfo
It also states that:
The specification does not state:
The Servlet expert group has previously indicated [1] that the specification would be altered to state that getPathInfo() should not return path parameters and
that clarification would be added to confirm that getContextPath() and getServletPath() should not return path parameters either. This clarification was never
added to the specification.
References:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=25015
[2] http://www.springsource.com/security/spring-security
[3] http://www.springsource.com/download/community?project=Spring%20Security