Code inspector Ounce Labs has identified two vulnerabilities in the open source Spring framework that exposes their enterprise applications to would-be hackers and hijackers.
The two issues, ModelView Injection and Data Submission to Non-Editable Fields, affect only the MVC module of the Spring framework, which is used to build enterprise web applications.
Ounce, a Waltham, Mass. risk analysis software company, has worked with SpringSource engineers to validate the problems, which can affect Java web applications that use Spring.
The first problem – which allows third parties to modify and add fields to web forms without user or ISV consent – is similar to cross site scripting forgery or SQL injection. “I can submit requests to your account as if I’m the account holder and access information including purchase history,” said Ryan Berg, co-founder and chief scientist at Ounce Labs. "Someone can break in and modify fields and can control the inner business logic of an application."
He noted that anti-malware software won’t catch the problem. Ounce does not know of any reported cases of someone exploiting this for financial gain but ran into this three to four months ago while analyzing a financial application for a client and has seen it in multiple commercial applications built on the open source framework.
SpringSource plans to release in the near future an update in one of its MVC demo templates to show app developers how to avoid this vulnerability. Ounce maintains that the vulnerability is not a security flaw in the framework itself but an application development issue. Many Java applications and business processes built on Spring are insecure by default and should be fixed – even if it means breaking existing applications, Berg said.
The second vulnerability allows hackers to take control of the routing and data validation features of a business process and subvert a business application. The issue is not as prevalent and perhaps a bit more complex for hackers to figure out but it can have more serious repercussions, Ounce's Advanced Research Team warns.
“In the worse case, someone can download all of your application configuration files, your database keys, internal IP addresses, login [info] and how applications are wired together. They can download the whole application and all of your source code,” Berg notes.
In the meantime, Ounce advises clients to access and use a feature in the Spring framework that allows developers to limit the fields users can post to, or use a web application firewall and configure the database to block any extraneous form fields.
In order to avoid these issues, Ounce Labs Advanced Research Team officially released this list of recommendations: • Never directly use data that a user can control, through hidden fields, cookies or direct form submissions to control the actual views that are rendered in the MVC pattern. • Always use the setAllowedFields method to limit the auto-binding of all fields to only those fields that are required for the form. • Remember that validation is not just about protecting against SQL injection and XSS but you need to validate all data that can be used to control a business process.
Berg also suggests that other frameworks – including Ruby on Rails – are vulnerable in some of the same ways but contends that the resolution is designing applications to be secure by default. “It’s not an attack but almost everyone [using Spring] is vulnerable to it,” the Ounce chief scientists added. “If you haven’t done anything with the Spring MVC, you’ll be vulnerable. “