Dear Reader,
this blog post is about Server Side Template Injections for the Apache Freemarker Template Engine, how to detect them, how to craft an exploit and what countermeasures can be implemented. Server Side Template Injections are critical because they often allow even Remote Code Execution, like the exploit of Apache OFBiz 13.07.03 that triggered this post in the first place. It is fair to note, that the exploit of Apache OFBiz requires a valid session with the server, but often this is just an inconvenience for an attacker.
Continue reading