This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-048
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series

Who should read this

All Struts 2 developers and users should read this

Impact of vulnerability

Possible RCE when using the Struts 2 Struts 1 plugin

Maximum security rating

High

Recommendation

Please read the Solution section

Affected Software

Struts 2.3.x

Reporter

icez <ic3z at qq dot com> from Tophant Competence Center

CVE Identifier

CVE-2017-9791

Problem

It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user, i.e. when using untrusted input as a part of the error message in the ActionMessage class.

Solution

Always use resource keys instead of passing a raw message to the ActionMessage as showed below, never pass a raw value directly

messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

and never like this

messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));

Backward compatibility

No backward incompatibility issues are expected.

 

  • No labels