Versions Compared

Old Version 8

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 9

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

To prevent attackers calling arbitrary methods within parameters the flag xwork.MethodAccessor.denyMethodExecution is set to true and the SecurityMemberAccess field allowStaticMethodAccess is set to false by default. Also, to prevent access to context variables an improved character whitelist for parameter names is applied in the ParameterInterceptor since Struts 2.2.1.1:

Wiki Markup{{acceptedParamNames = "\[a-zA-Z0-9\.\]\[()_'\]+";}}

Under certain circumstances these restrictions can be bypassed to execute malicious Java code.

...

Update to Struts 2.3.1 and apply a stronger acceptedParamNames filter to the ParameterInterceptor and CookieInterceptor:unmigrated-wiki-markup

{{acceptedParamNames = "\[a-zA-Z0-9\.\]\[()_'\]+";}}