Shulou(Shulou.com)06/01 Report--

Spring MVC and Spring WebFlux header caused by RFD attack risk is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

0x00 vulnerability background

On January 17, 2020, 360CERT detected that spring officially issued a CVE-2020-5398 vulnerability warning with a high vulnerability level.

In versions 5.1.x before Spring Framework,5.2.x and 5.1.x before 5.0.16 and 5.0.x before 5.0.16, applications are vulnerable to reflection file download (RFD) attacks by setting a "Content-Disposition" response header header in the response, where the filename attribute comes from user-supplied input.

360CERT judges that the vulnerability level is high and the hazard / impact area is large. It is recommended to use Spring MVC or Spring WebFlux users to install the latest patches in time to avoid hacker attacks.

0x01 vulnerability details

The application is vulnerable when all of the following conditions are met:

1. The response header is added through org.springframework.http.ContentDisposition

2. The file name is set in one of the following ways:

ContentDisposition.Builder#filename (String)

ContentDisposition.Builder#filename (String, US_ASCII)

3. The value of filename comes from the input provided by the user.

4. The application did not clear the input provided by the user

5. The attacker has injected malicious commands into the downloaded response.

0x02 affects version

Spring Framework:

5.2.0 to 5.2.2

5.1.0 to 5.1.12

5.0.0 to 5.0.15

0x03 repair recommendation

1. It is recommended that 5.2.x users should upgrade to 5.2.3.

5.1.x users should upgrade to 5.1.13.

5.0.x users should upgrade to 5.0.16

2. Or use the correct configuration:

The "Content-Disposition" response header is not set by the ① application.

② response header is not added through org.springframework.http.ContentDisposition

The ③ file name is set in one of the following ways:

ContentDisposition.Builder#filename (String, UTF_8)

ContentDisposition.Builder#filename (String, ISO_8859_1)

The value of ④ filename is not from the input provided by the user

⑤ filename comes from user-supplied input, but is cleared by the application.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.