Summary
XWork ParameterInterceptors bypass allows OGNL statement execution
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote server context manipulation |
Maximum security rating | Critical |
Recommendation | Developers should immediately upgrade to Struts 2.2.1 or later |
Affected Software | Struts 2.0.0 - Struts 2.1.8.1 |
Original JIRA Ticket | |
Reporter | Meder Kydyraliev, Google Security Team |
CVE Identifier | CVE-2008-6504 |
Problem
OGNL provides, among other features, extensive expression evaluation capabilities (http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html). The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.
So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:
('\u0023' + 'session\'user\'')(unused)=0wn3d
which will look as follows once URL encoded:
('\u0023'%20%2b%20'session\'user\'')(unused)=0wn3d
Solution
To fix this particular issue, upgrade to at least Struts 2.2.1