~~ $Id$ ~~ ~~ Licensed to the Apache Software Foundation (ASF) under one ~~ or more contributor license agreements. See the NOTICE file ~~ distributed with this work for additional information ~~ regarding copyright ownership. The ASF licenses this file ~~ to you under the Apache License, Version 2.0 (the ~~ "License"); you may not use this file except in compliance ~~ with the License. You may obtain a copy of the License at ~~ ~~ http://www.apache.org/licenses/LICENSE-2.0 ~~ ~~ Unless required by applicable law or agreed to in writing, ~~ software distributed under the License is distributed on an ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ~~ KIND, either express or implied. See the License for the ~~ specific language governing permissions and limitations ~~ under the License. ~~ ----------- Security bulletin 1 ----------- Security bulletin 1 * Summary EL expressions in JSP using some Tiles JSP tags are evaluated twice. *-------------------------+-----------+ | Who should read this | All Tiles 2.1 developers | *-------------------------+-----------+ | Impact of vulnerability | Remote server context exposure | *-------------------------+-----------+ | Maximum security rating | High (read-only exposure) | *-------------------------+-----------+ | Recommendation | Developers should not install Tiles 2.1.1 under a production environment, | | | upgrade to Tiles 2.1.2 | *-------------------------+-----------+ | Affected Software | Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe) | *-------------------------+-----------+ | Original JIRA Ticket | {{{https://issues.apache.org/jira/browse/TILES-351}TILES-351}} | *-------------------------+-----------+ | Reporter | Antonio Petrelli (Tiles PMC member) | *-------------------------+-----------+ * Problem Tiles 2.1.x allows, with the {{{../tutorial/advanced/el-support.html}correct configuration}}, to use EL expressions in Tiles configuration files. The problem is that, if attribute values or templates are defined using some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is evaluated twice, one by the container, one by the ELAttributeEvaluator class. Now, if at the first evaluation the EL expression is connected to a user-entered content, it could be maliciously exploited to access the server context. Therefore, there could be an unwanted exposure of server data or XSS attacks. * Solution The API and the core have been modified to separate the expression evaluation from the attribute/template manipulation made by JSP tags in a safe way. Since Tiles 2.1.1 is still in beta, the recommendation is not to install it in a production environment. A release, in this case, is not necessary. Experimenter can download the latest version of Tiles from the {{{http://svn.apache.org/repos/asf/tiles/framework/trunk/}SVN repository}}.