Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Special top object can be used to access Struts' internals


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Manipulation of Struts' internals, altering of user session

Maximum security rating

High

Important

Recommendation

Update regex used to excluded vulnerable incoming parameters. An upgrade to Struts 2.3.24.1 is recommended.

Affected Software

Struts 2.0.0 - Struts Struts 2.3.24

Reporter

rskvp93 at gmail dot com from Viettel Information Security Center

CVE Identifier

 CVE

CVE-2015-5209

Problem

ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings

...

Applying better regex which includes pattern to exclude request parameters trying to use top object. We recommend upgrading to Struts 2.3.24.1.

...

.

...

Backward compatibility

If an application is using parameter named top to access action's properties, it won't be set on the action. In other case no backward compatibility problems are expected.

...

Applying the below patterns will solve the problem as well:

Code Block
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|#\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
"^(action|method):.*"

...