Child pages
  • S2-015

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

If a request doesn't match any other defined action, it will be matched by * and requested action name will be used to load JSP file base on the name of action. And as value of {1} is threaten as an OGNL expression, thus allow to execute arbitrary Java code on server side. This vulnerability is combination of two problems:

  • requested action name isn't escaped or checked agains whitelist
  • double evaluation of an OGNL expression in TextParseUtil.translateVariables when combination of $ and % open chars is used.

Proof of concept

Wildcard matching

...