新浪微博:
http://weibo.com/u/2275304001/home?wvr=5
微信公众号DebugPwn
漏洞描述:
When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
也就是说再处理认证请求的时候如果使用了whitelabel视图,response_type参数值会被当做Spring SpEL来执行,恶意攻击者通过精心构造response_type值可以触发远程代码执行漏洞。实际分析下来,任何异常抛给handError来处理都会执行代码。
比源代码
diff1:
https://github.com/spring-projects/spring-security-oauth/commit/fff77d3fea477b566bcacfbfc95f85821a2bdc2d