By Miche
via searchsoftwarequality.techtarget.com
Published: Jul 17 2008 / 10:56
Ounce Labs recently discovered two vulnerabilities that can affect Java Web applications that use the Spring Framework. The company is working with SpringSource to ensure developers know how to protect against these security issues.
Comments
paul_houle replied ago:
Points out an important issue with frameworks in general, despite an annoying interstitial ad. (At least this one doesn't crash Firefox)
MichaelMinella replied ago:
The issue is not with the Spring Framework. It is with Spring MVC. Being unclear about things like this can have serious impacts on the acceptance of open source in an enterprise.
cwilkes replied ago:
At first I thought this was a joke as I got a 500 error when loading up this dzone page :)
javax.el.PropertyNotFoundException: List.getIndex '1' is an invalid index for list of length '1'
....
at com.dzone.utils.filters.WhosOnlineFilter.doFilter(WhosOnlineFilter.java:136)
DarrenDarren replied ago:
Even 2+ years ago, I remember seeing warnings in the Spring MVC documentation to always use "setAllowedFields" to prevent malicious values inserted into your form-backing objects. It's good to raise awareness among Spring MVC developers, but this is hardly a discovery.
Voters For This Link (6)
Voters Against This Link (1)