Child pages
  • S2-015

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary


Excerpt

A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Remote command execution, remote server context manipulation, injection of malicious client side code

Maximum security rating

Highly

Critical

Recommendation

Developers should immediately upgrade to Struts 2.3.14.3

Affected Software

Struts 2.0.0 - Struts 2.3.14.2

Reporter

Jon Passki from Coverity Security Research Laboratory reported directly to security@struts.a.o and via blog post

CVE Identifier

CVE-2013-2135, CVE-2013-2134

Problem

Struts 2 allows define action mapping base on wildcards, like in example below:

...

Wildcard matching

  1. Run struts2-blank app
  2. Open the following url, resulting in dynamic action name resolution based on passed value of #foo

    Code Block
    http://localhost:8080/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D


    Code Block
    http://localhost:8080/example/${#foo='Menu',#foo}


...

Double evaluation of an expression

  1. Open example.xml present in the Struts Blank App and change result of HelloWorld action to one below:

    Code Block
    xml
    xml
    <result type="httpheader">
        <param name="headers.foobar">${message}</param>
    </result>
    


  2. Open HelloWorld.java and change execute() method as below:

    Code Block
    java
    java
    public String execute() throws Exception {
        return SUCCESS;
    }
    


  3. Run struts2-blank app
  4. Open the following url (you must have a tool to check response headers)

    Code Block
    http://localhost:8080/example/HelloWorld.action?message=%24{%25{1%2B2}}


    Code Block
    http://localhost:8080/example/HelloWorld.action?message=${%{1+2}}


  5. Check value of foobar header, it should be 3

...