...
Excerpt |
---|
A vulnerability, present in the "includeParams" attribute of the URL and Anchor Tag, allows remote command execution |
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution |
Maximum security rating | High Critical |
Recommendation | Developers should immediately upgrade to Struts 2.3.14.1 |
Affected Software | Struts 2.0.0 - Struts 2.3.14 |
Reporter | The Struts Team |
CVE Identifier | Problem |
Both the s:url and s:a tag provide an includeParams attribute.
The main scope of that attribute is to understand whether includes http request parameter or not.
The allowed values for the attribute of includeParams are:
- none - include no parameters in the URL (default)
- get - include only GET parameters in the URL
- all - include both GET and POST parameters in the URL
...
- Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:
Such that the line will be something look like this:Code Block includeParams="all"
(it works also with includeParams="get").Code Block xml xml <s:url id="url" action="HelloWorld" includeParams="all">
- Run struts2-blank app
- Open the url: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
(this is the shortened version http://goo.gl/lhlTl)
In As you will notice, in this case, there is no way to escape/sanitize the fakeParam, since it's not an expected parameter.
...