You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

XWork ParameterInterceptors bypass allows OGNL statement execution

Who should read this

All Struts 2 developers

Impact of vulnerability

Remote server context manipulation

Maximum security rating

Critical

Recommendation

Developers should immediately upgrade to Struts 2.0.11.2 or upgrade to XWork 2.0.5

Affected Software

WebWork 2.0 - WebWork 2.2.6, Struts 2.0.0 - Struts 2.0.11.1

Original JIRA Ticket

XW-641, WW-2692

Reporter

Meder Kydyraliev, Google Security Team

Problem

OGNL provides, among other features, extensive expression evaluation capabilities (http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html). The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.

So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:

('\u0023' + 'session\'user\'')(unused)=0wn3d

which will look as follows once URL encoded:

('\u0023'%20%2b%20'session\'user\'')(unused)=0wn3d

Solution

As of XWork 2.0.5, the ParameterInterceptor was changed to provide a whitelist mechanism for acceptable, non malicious parameter names. Therefore, in the example above, the given parameter will be ignored. You can either obtain a copy of the released XWork 2.0.5 jar as a drop in replacement for the XWork 2.0.4 jar used in Struts 2.0.9 and above, or download a full release of Struts 2.0.11.2, which contains the corrected XWork library.

  • No labels