Summary
Excerpt |
---|
Showcase app vulnerability allows remote command execution |
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution |
Maximum security rating |
Important | |
Recommendation | Developers should immediately upgrade to Struts 2.3.14. |
---|
Affected Software | Struts Showcase App 2.0.0 - Struts Showcase App 2.3. |
---|
14.2 | |
Reporter | Xgc Kxlzx, Alibaba Security Team |
---|---|
CVE Identifier | |
Original Description | Reported directly to security@a.o |
Problem
OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
...
- Run struts2-showcase
- Open url: http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV
write skill name to %{expr} for example:
Code Block %{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}
- submit the form
...
Warning |
---|
It is strongly recommended to upgrade to Struts 2.3.14.13, which contains the corrected OGNL and XWork library. |
...