THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL Tag , which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameterURL Tag tries to resolve every parameters present in the original request.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to disable enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.
Proof of concept
- Open HelloWorld.jsp present in the Struts Blank App and add to one of the url tag the following parameter:
Such that the line will be something look like this:Code Block includeParams="all"
(I'm pretty sure it works with includeParams="get" as well).Code Block xml xml <s:url id="url" action="HelloWorld" includeParams="all"> - Run struts2-blank app
- Open the
- Run struts2-showcase
- Open url: http://localhost:8080/struts2-showcase/skill/editexample/HelloWorld.action?skillName=SPRING-DEV
write skill name to %{expr} for example: Code Block
(this is the shortenerize version http://goo.gl/lhlTl)
The issue, in order to work, need a redirect result defined as the following:
...