Versions Compared

Old Version 4

changes.mady.by.user Maurizio Cucchiara

Saved on

compared with

New Version 5

changes.mady.by.user Maurizio Cucchiara

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers

Impact of vulnerability

Remote command execution

Maximum security rating

High Critical

Recommendation

Developers should immediately upgrade to Struts 2.3.14.1

Affected Software

Struts 2.0.0 - Struts 2.3.14

Problem

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL Tag , which will cause a further evaluation.

...

  1. Open HelloWorld.jsp present in the Struts Blank App and add to one of the url tag the following parameter:
    Code Block
     includeParams="all"
    Such that the line will be something look like this:
    Code Block
    xml
    xml
    <s:url id="url" action="HelloWorld" includeParams="all">
    (I'm pretty sure it works also with includeParams="get" as well).
  2. Run struts2-blank app
  3. Open the url: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
    (this is the shortenerize shortened version http://goo.gl/lhlTl)

The issue, in order to work, need a redirect result defined as the following:

Code Block

<action name="save" class="org.apache.struts2.showcase.action.SkillAction" method="save">
    <result type="redirect">edit.action?skillName=${currentSkill.name}</result>
</action>

Solution

...

In this case, there is no way to escape the fakeParam, since it's not an expected parameter.

Solution

The OGNLUtil class was changed to deny eval expressions by default.

Note
titleBackward Compatibility

In case you need to restore the old behavior, you need to define the following constant, inside your struts configuration (use it at your own risk).

Code Block
xml
xml

<constant name="struts.ognl.enableOGNLEvalExpression" value="true" />

Please, ensure that:

  1. there are no includeParams with "all" or "get" value
  2. every parameter which is declared inside the u or a tag come from a sanitized input.
Warning

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.