|Home > Security Bulletins > S2-005|
XWork ParameterInterceptors bypass allows remote command execution
Who should read this
All Struts 2 developers
Impact of vulnerability
Remote server context manipulation
Maximum security rating
Developers should immediately upgrade to Struts 2.2.1 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability
Struts 2.0.0 - Struts 126.96.36.199
Original JIRA Ticket
Meder Kydyraliev, Google Security Team
OGNL provides, among other features, extensive expression evaluation capabilities (http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html). The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.
This behavior was already addressed in S2-003, but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially. At least the following context objects are still accessible:
As of XWork 2.2.1, now being an integral part of the Struts 2.2.1 release, the ParameterInterceptor was changed to provide a very strict whitelist mechanism for acceptable, non malicious parameter names. Therefore parameters other than simple property navigation paths will be ignored.
In case an upgrade isn't possible in a particular environment, there is a configuration based mitigation workaround:
The following additional interceptor-ref configuration, suggested by John Wilander, should mitigate the problem when applied correctly: