EL expressions in JSP using some Tiles JSP tags are evaluated twice.
Who should read this | All Tiles 2.1 developers |
Impact of vulnerability | Remote server context exposure |
Maximum security rating | High (read-only exposure) |
Recommendation | Developers should not install Tiles 2.1.1 under a production environment, upgrade to Tiles 2.1.2 |
Affected Software | Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe) |
Original JIRA Ticket | TILES-351 |
Reporter | Antonio Petrelli (Tiles PMC member) |
Tiles 2.1.x allows, with the correct configuration, to use EL expressions in Tiles configuration files.
The problem is that, if attribute values or templates are defined using some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is evaluated twice, one by the container, one by the ELAttributeEvaluator class.
Now, if at the first evaluation the EL expression is connected to a user-entered content, it could be maliciously exploited to access the server context.
Therefore, there could be an unwanted exposure of server data or XSS attacks.
The API and the core have been modified to separate the expression evaluation from the attribute/template manipulation made by JSP tags in a safe way.
Since Tiles 2.1.1 is still in beta, the recommendation is not to install it in a production environment. A release, in this case, is not necessary. Experimenter can download the latest version of Tiles from the SVN repository.