[XW-146] Security issue due to parameter names being evaluated - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0-beta2
Fix Version/s: 1.0
Component/s: Interceptors
Labels:
None

Description

The ParametersInterceptor evaluates all parameter names using OGNL. This allows an attacker to execute code such as

@System@exit(1).dummy

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: John Patterson

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 18/Dec/03 10:40

Updated:: 28/Dec/03 22:38

Resolved:: 28/Dec/03 22:38