THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Summary
Specialtop object can be used to access Struts' internalsWho should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Manipulation of Struts' internals, altering of user session |
Maximum security rating | High |
Recommendation | Update regex used to excluded vulnerable incoming parameters. An upgrade to Struts 2.3.24.1 is recommended. |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.24 |
Reporter | rskvp93 at gmail dot com from Viettel Information Security Center |
CVE Identifier | TBD |
Problem
OGNL defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings
Solution
Applying better regex which includes pattern to exclude request parameters trying to use top object. We recommend upgrading to Struts 2.3.24.1 or higher.
Backward compatibility
If application is using parameter named top to access action's properties, it won't be set on the action. I other case no backward compatibility problems are expected.
Workaround
Applying the below patterns will solve the problem as well:
"(^|\\%\\{)(top(\\.|\\['|\\[\")|#)?(dojo|struts|session|request|application|servlet(Request|Response)|parameters|context|_memberAccess)(\\.|\\[).*",
"^(action|method):.*"