...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote server context manipulation |
Maximum security rating | Critical |
Recommendation | Developers should immediately upgrade to Struts 2.0.11.212 or upgrade to XWork 2.0.56 |
Affected Software | Struts 2.0.0 - Struts 2.0.11.1 2 |
Original JIRA Ticket | |
Reporter | Meder Kydyraliev, Google Security Team |
...
As of XWork 2.0.5, the ParameterInterceptor was changed to provide a whitelist mechanism for acceptable, non malicious parameter names. Therefore, in the example above, the given parameter will be ignored. Nevertheless there are still cases where the whitelist mechanism does not prevent the context from being manipulated.
As of XWork 2.0.6, the ParametersInterceptor applies stack changes to a copy of the original value stack, for which context parameters which could be manipulated are cleared beforehand.
You can either obtain a copy of the released XWork 2.0.5 6 jar as a drop in replacement for the XWork 2.0.4 / 2.0.5 jar used in Struts 2.0.9 and above, or download a full release of Struts 2.0.11.212, which contains the corrected XWork library.