While performing source code security review engagements, members of the Ounce Labs Advanced Research Team (ART) discovered and exploited two vulnerabilities in the commonly used Spring Framework's MVC (Model View Controller).
These vulnerabilities allow attackers to subvert the expected application logic and behavior, potentially gaining control of the application itself, and access to any data, credentials or keys held in the application.
The two vulnerabilities described in this document are not security flaws within the Framework, but are design issues that if not implemented properly expose business critical applications to malicious attacks. Fortunately, the right security awareness in the design and testing phase of applications using the Spring MVC can protect enterprises from exploitation.
This advisory is part of on-going research at Ounce Labs on the security implications of widely-used web Frameworks and, although these two vulnerabilities relate to the Spring Framework's MVC, Ounce Labs' ART believe that similar issues will be found in similar Frameworks used by enterprise applications.
