Описание
Code injection in Apache Struts
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.
both the s:url and s:a tag provide an includeParams attribute.
The main scope of that attribute is to understand whether includes http request parameter or not.
The allowed values of includeParams are:
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.
The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request. This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.
The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2013-2115
- https://github.com/apache/struts/commit/d7804297e319c7a12245e1b536e565fcea6d650
- https://github.com/apache/struts/commit/d934c6e7430b7b98e43a0a085a2304bd31a75c3d
- https://github.com/apache/struts/commit/ea96d18d0f75c390d2595648efa3563785c272c6
- https://github.com/apache/struts/commit/fed4f8e8a4ec69b5e7612b92d8ce3e476680474
- https://bugzilla.redhat.com/show_bug.cgi?id=967656
- https://cwiki.apache.org/confluence/display/WW/S2-013
- https://cwiki.apache.org/confluence/display/WW/S2-014
- https://issues.apache.org/jira/browse/WW-4063
- https://web.archive.org/web/20140212000331/http://www.securityfocus.com/bid/60167
- http://struts.apache.org/development/2.x/docs/s2-014.html
Пакеты
org.apache.struts:struts2-core
>= 2.0.0, < 2.3.14.2
2.3.14.2
org.apache.struts.xwork:xwork-core
>= 2.0.0, < 2.3.14.2
2.3.14.2
Связанные уязвимости
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arb ...
Уязвимость программной платформы Apache Struts, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код