| Don't allow users visiting MVC Views directly! |
 |
A rather dangerous security hole was discovered in Web applications with certain components and configuration, which can be exploited through FreeMarker.
Which systems are affected
Web applications using JSP Model-2 approach to implement MVC (like older versions of Struts and WebWorks) are POSSIBLY vulnerable if the templates have a publicly visitable URL (like http://example.com/foo.ftl). Having such visitable MVC Views, while is a bad practice, doesn't make the application vulnerable in itself, only combined with certain runtime environment settings unrelated to FreeMarker. No more details will be disclosed until FreeMarker 2.3.19 (expected at the end of February, 2012), so users have a chance to secure their applications (see later how). Even if your system is not vulnerable, if you have directly visitable templates, you should apply the fix described below, as similar undiscovered exploits may exist.
This security problem exists regardless of FreeMarker version. FreeMarker 2.3.19 will have a change to block this exploit in some cases, but not in all cases.
How to fix the issue
MVC Views should only be callable by the MVC Controller, even regardless of this security issue. They shouldn't have public URL-s, since they are internal implementation details. Indeed, most of them are dysfunctional without the Controller preparing the data-model.
To fix this, add this to WEB-INF/web.xml before </web-app> or
login-config or security-role or env-entry or ejb-ref,
whichever comes first:
<!--
Prevent the visiting of MVC Views from outside the servlet container.
RequestDispatcher.forward/include should and will still work.
Removing this may open security holes!
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>FreeMarker MVC Views</web-resource-name>
<url-pattern>*.ftl</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Nobody is allowed to visit these -->
</auth-constraint>
</security-constraint>
You have to replace the *.ftl pattern inside the url-pattern
with the pattern that your FreeMarker view servlet (such as
FreemarkerServlet) is mapped to.
This requires Servlet 2.2 or later, and it always should be checked that visiting a template directly indeed gives an error (HTTP 403).
Note: Modern Web application frameworks don't use the request-forwarding approach anymore for FreeMarker views. So possibly you can remove the related servlet declaration altogether, without breaking the application. It happens that it was just left there for no good reason.
Some question that may arise
Q: What can the attacker do?
A: Sorry, no information will be released until 2.3.19.
Q: Why don't you just release all the information now?
A: To give users a chance to secure their systems before that.
Q: But now I don't know if my system is vulnerable!
A: You should apply the "security-constraint" fix regardless.
Maybe even where you don't use FreeMarker.
Q: Why don't you release 2.3.19 as soon as possible?
A: Because a source code change would expose what the problem is,
while it wouldn't even give 100% protection.
Q: Is this security issue being actively exploited now?
A: We are not aware of any incidents that use this exploit.
