Apache Struts 2 Documentation > Home > Security Bulletins > S2-003
Apache Struts 2 Documentation
S2-003
Edit Page   Browse Space   Add Page   Add News
Added by Rene Gielen, last edited by Rene Gielen on Jun 22, 2008

Summary

XWork ParameterInterceptors bypass allows OGNL statement execution

Who should read this All Struts 2 developers
Impact of vulnerability Remote server context manipulation
Maximum security rating Critical
Recommendation Developers should immediately upgrade to Struts 2.0.11.2 or upgrade to XWork 2.0.5
Affected Software Struts 2.0.0 - Struts 2.0.11.1
Original JIRA Ticket XW-641, WW-2692
Reporter Meder Kydyraliev, Google Security Team

Problem

OGNL provides, among other features, extensive expression evaluation capabilities (http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html). The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.

So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:

('\u0023' + 'session[\'user\']')(unused)=0wn3d

which will look as follows once URL encoded:

('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d

Solution

As of XWork 2.0.5, the ParameterInterceptor was changed to provide a whitelist mechanism for acceptable, non malicious parameter names. Therefore, in the example above, the given parameter will be ignored. You can either obtain a copy of the released XWork 2.0.5 jar as a drop in replacement for the XWork 2.0.4 jar used in Struts 2.0.9 and above, or download a full release of Struts 2.0.11.2, which contains the corrected XWork library.

Generated by Atlassian Confluence (Version: 2.2.9 Build: 527 Sep 07, 2006) AutoExport Plugin (Version: Unknown - PluginManager Error)