...
To prevent attackers calling arbitrary methods within parameters the flag xwork.MethodAccessor.denyMethodExecution
is set to true
and the SecurityMemberAccess
field allowStaticMethodAccess
is set to false
by default. Also, to prevent access to context variables an improved character whitelist for parameter names is applied in the ParameterInterceptor
since Struts 2.2.1.1:
{{ Wiki Markup acceptedParamNames
=
"
\[a-zA-Z0-9\.
\]
\[()_'
\]+";
}}
Under certain circumstances these restrictions can be bypassed to execute malicious Java code.
...
Update to Struts 2.3.1 and apply a stronger acceptedParamNames
filter to the ParameterInterceptor
and CookieInterceptor
:unmigrated-wiki-markup
{{acceptedParamNames
=
"
\[a-zA-Z0-9\.
\]
\[()_'
\]+";
}}