You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2013/06/05 07:24:02 UTC
svn commit: r864459 - in
/websites/production/struts/content/release/2.3.x/docs: s2-015.html
security-bulletins.html
Author: lukaszlenart
Date: Wed Jun 5 05:24:01 2013
New Revision: 864459
Log:
Adds missing version notes
Added:
websites/production/struts/content/release/2.3.x/docs/s2-015.html
Modified:
websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
Added: websites/production/struts/content/release/2.3.x/docs/s2-015.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/s2-015.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/s2-015.html Wed Jun 5 05:24:01 2013
@@ -0,0 +1,262 @@
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML>
+ <HEAD>
+ <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <STYLE type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </STYLE>
+ <STYLE type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </STYLE>
+ <SCRIPT type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </SCRIPT>
+ <TITLE>S2-015</TITLE>
+ <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
+ <BODY onload="init()">
+ <TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
+ <TR class="topBar">
+ <TD align="left" valign="middle" class="topBarDiv" align="left" nowrap="">
+ <A href="home.html" title="Apache Struts 2 Documentation">Apache Struts 2 Documentation</A> > <A href="home.html" title="Home">Home</A> > <A href="security-bulletins.html" title="Security Bulletins">Security Bulletins</A> > <A href="" title="S2-015">S2-015</A>
+ </TD>
+ <TD align="right" valign="middle" nowrap="">
+ <FORM name="search" action="http://www.google.com/search" method="get">
+ <INPUT type="hidden" name="ie" value="UTF-8">
+ <INPUT type="hidden" name="oe" value="UTF-8">
+ <INPUT type="hidden" name="domains" value="">
+ <INPUT type="hidden" name="sitesearch" value="">
+ <INPUT type="text" name="q" maxlength="255" value="">
+ <INPUT type="submit" name="btnG" value="Google Search">
+ </FORM>
+ </TD>
+ </TR>
+ </TABLE>
+
+ <DIV id="PageContent">
+ <DIV class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <DIV style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</DIV>
+ <DIV style="margin: 0px 10px 8px 10px" class="pagetitle">S2-015</DIV>
+
+ <DIV class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif" height="16" width="16" border="0" align="absmiddle" title="Edit Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638">Edit Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Browse Space"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638">Add Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add News"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638">Add News</A>
+ </DIV>
+ </DIV>
+
+ <DIV class="pagecontent">
+ <DIV class="wiki-content">
+ <H2><A name="S2-015-Summary"></A>Summary</H2>
+
+
+<P>A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</P>
+
+
+<DIV class="table-wrap">
+<TABLE class="confluenceTable"><TBODY>
+<TR>
+<TH class="confluenceTh">Who should read this</TH>
+<TD class="confluenceTd">All Struts 2 developers and users</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Impact of vulnerability</TH>
+<TD class="confluenceTd">Remote command execution, remote server context manipulation, injection of malicious client side code</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Maximum security rating</TH>
+<TD class="confluenceTd">Highly Critical</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Recommendation</TH>
+<TD class="confluenceTd">Developers should immediately upgrade to <A href="http://struts.apache.org/download.cgi#struts23143" class="external-link" rel="nofollow">Struts 2.3.14.3</A></TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Affected Software</TH>
+<TD class="confluenceTd"> Struts 2.0.0 - Struts 2.3.14.2 </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Reporter</TH>
+<TD class="confluenceTd"> Jon Passki from Coverity Security Research Laboratory reported directly to security@struts.a.o and via <A href="https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection" class="external-link" rel="nofollow">blog post</A> </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">CVE Identifier</TH>
+<TD class="confluenceTd"><A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2135" class="external-link" rel="nofollow">CVE-2013-2135</A>, <A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2134" class="external-link" rel="nofollow">CVE-2013-2134</A></TD>
+</TR>
+</TBODY></TABLE>
+</DIV>
+
+
+<H2><A name="S2-015-Problem"></A>Problem</H2>
+
+<P>Struts 2 allows define action mapping base on wildcards, like in example below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><action name=<SPAN class="code-quote">"*"</SPAN> class=<SPAN class="code-quote">"example.ExampleSupport"</SPAN>></SPAN>
+ <SPAN class="code-tag"><result></SPAN>/example/{1}.jsp<SPAN class="code-tag"></result></SPAN>
+<SPAN class="code-tag"></action></SPAN>
+</PRE>
+</DIV></DIV>
+
+<P>If a request doesn't match any other defined action, it will be matched by <TT>*</TT> and requested action name will be used to load JSP file base on the name of action. And as value of {<TT>1</TT>} is threaten as an OGNL expression, thus allow to execute arbitrary Java code on server side. This vulnerability is combination of two problems:</P>
+<UL class="alternate" type="square">
+ <LI>requested action name isn't escaped or checked agains whitelist</LI>
+ <LI>double evaluation of an OGNL expression in <TT>TextParseUtil.translateVariables</TT> when combination of <TT>$</TT> and <TT>%</TT> open chars is used.</LI>
+</UL>
+
+
+<H2><A name="S2-015-Proofofconcept"></A>Proof of concept</H2>
+
+<H4><A name="S2-015-Wildcardmatching"></A>Wildcard matching</H4>
+<OL>
+ <LI>Run struts2-blank app</LI>
+ <LI>Open the following url, resulting in dynamic action name resolution based on passed value of <TT>#foo</TT>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">http:<SPAN class="code-comment">//localhost:8080/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D</SPAN></PRE>
+</DIV></DIV>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">http:<SPAN class="code-comment">//localhost:8080/example/${#foo='Menu',#foo}</SPAN></PRE>
+</DIV></DIV></LI>
+</OL>
+
+
+<P>As you can notice, action name is resolved based on user input and you can put any arbitrary code to perform attack.</P>
+
+<H4><A name="S2-015-Doubleevaluationofanexpression"></A>Double evaluation of an expression</H4>
+<OL>
+ <LI>Open example.xml present in the Struts Blank App and change result of HelloWorld action to one below:
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><result type=<SPAN class="code-quote">"httpheader"</SPAN>></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN class="code-quote">"headers.foobar"</SPAN>></SPAN>${message}<SPAN class="code-tag"></param></SPAN>
+<SPAN class="code-tag"></result></SPAN>
+</PRE>
+</DIV></DIV></LI>
+ <LI>Open HelloWorld.java and change <TT>execute()</TT> method as below:
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">
+<SPAN class="code-keyword">public</SPAN> <SPAN class="code-object">String</SPAN> execute() <SPAN class="code-keyword">throws</SPAN> Exception {
+ <SPAN class="code-keyword">return</SPAN> SUCCESS;
+}
+</PRE>
+</DIV></DIV></LI>
+ <LI>Run struts2-blank app</LI>
+ <LI>Open the following url (you must have a tool to check response headers)
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">http:<SPAN class="code-comment">//localhost:8080/example/HelloWorld.action?message=%24{%25{1%2B2}}</SPAN></PRE>
+</DIV></DIV>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">http:<SPAN class="code-comment">//localhost:8080/example/HelloWorld.action?message=${%{1+2}}</SPAN></PRE>
+</DIV></DIV></LI>
+ <LI>Check value of <TT>foobar</TT> header, it should be <TT>3</TT></LI>
+</OL>
+
+
+<P>As you can notice, passed value of <TT>message</TT> parameter was used to set value of <TT>foobar</TT> header and the value was double evaluated - first time when <TT>${message</TT>} was evaluated, secondly when parsed value (<TT>${%{1+2</TT>}}) was evaluated again.</P>
+
+<H2><A name="S2-015-Solution"></A>Solution</H2>
+
+<P>With the new version actions' names whitelisting was introduced and by default is set to accept actions that match the following regex:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">[a-z]*[A-Z]*[0-9]*[.\-_!/]*</PRE>
+</DIV></DIV>
+<P>user can change the definition by setting up a new constant in struts.xml as below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><constant name=<SPAN class="code-quote">"struts.allowed.action.names"</SPAN> value=<SPAN class="code-quote">"[a-zA-Z]*"</SPAN> /></SPAN>
+</PRE>
+</DIV></DIV>
+
+<P>Double evaluation of passed expression was removed from <TT>OgnlTextParser</TT> which is used by <TT>TextParseUtil.translateVariables</TT>.</P>
+
+<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Backward Compatibility</B><BR>There should be no problems with migration from previous version.</TD></TR></TABLE></DIV>
+
+<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>It is strongly recommended to upgrade to <A href="http://struts.apache.org/download.cgi#struts23143" class="external-link" rel="nofollow">Struts 2.3.14.3</A>.</B></TD></TR></TABLE></DIV>
+ </DIV>
+
+
+ </DIV>
+ </DIV>
+ <DIV class="footer">
+ Generated by
+ <A href="http://www.atlassian.com/confluence/">Atlassian Confluence</A> (Version: 3.4.9 Build: 2042 Feb 14, 2011)
+ <A href="http://could.it/autoexport/">Auto Export Plugin</A> (Version: 1.0.0-dkulp)
+ </DIV>
+ </BODY>
+</HTML>
\ No newline at end of file
Modified: websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/security-bulletins.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/security-bulletins.html Wed Jun 5 05:24:01 2013
@@ -124,8 +124,7 @@ under the License.
<DIV class="pagecontent">
<DIV class="wiki-content">
<P>The following security bulletins are available:</P>
-
-<UL><LI><A href="s2-001.html" title="S2-001">S2-001</A> — <SPAN class="smalltext">Remote code exploit on form validation error</SPAN></LI><LI><A href="s2-002.html" title="S2-002">S2-002</A> — <SPAN class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</SPAN></LI><LI><A href="s2-003.html" title="S2-003">S2-003</A> — <SPAN class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</SPAN></LI><LI><A href="s2-004.html" title="S2-004">S2-004</A> — <SPAN class="smalltext">Directory traversal vulnerability while serving static content</SPAN></LI><LI><A href="s2-005.html" title="S2-005">S2-005</A> — <SPAN class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</SPAN></LI><LI><A href="s2-006.html" title="S2-006">S2-006</A> — <SPAN class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</SPAN></LI><LI><A href="s2-007.html" t
itle="S2-007">S2-007</A> — <SPAN class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</SPAN></LI><LI><A href="s2-008.html" title="S2-008">S2-008</A> — <SPAN class="smalltext">Multiple critical vulnerabilities in Struts2</SPAN></LI><LI><A href="s2-009.html" title="S2-009">S2-009</A> — <SPAN class="smalltext">ParameterInterceptor vulnerability allows remote command execution</SPAN></LI><LI><A href="s2-010.html" title="S2-010">S2-010</A> — <SPAN class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</SPAN></LI><LI><A href="s2-011.html" title="S2-011">S2-011</A> — <SPAN class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</SPAN></LI><LI><A href="s2-012.html" title="S2-012">S2-012</A> — <SPAN class="smalltext">Showcase app vulnerability allows remote command execut
ion</SPAN></LI><LI><A href="s2-013.html" title="S2-013">S2-013</A> — <SPAN class="smalltext">A vulnerability, present in the <EM>includeParams</EM> attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command execution</SPAN></LI><LI><A href="s2-014.html" title="S2-014">S2-014</A> — <SPAN class="smalltext">A vulnerability introduced by forcing parameter inclusion in the <EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command execution, session access and manipulation and XSS attacks</SPAN></LI><LI><A href="https://cwiki.apache.org/confluence/display/WW/S2-015" title="S2-015">S2-015</A> — <SPAN class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution</SPAN></LI></UL>
+<UL><LI><A href="s2-001.html" title="S2-001">S2-001</A> — <SPAN class="smalltext">Remote code exploit on form validation error</SPAN></LI><LI><A href="s2-002.html" title="S2-002">S2-002</A> — <SPAN class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</SPAN></LI><LI><A href="s2-003.html" title="S2-003">S2-003</A> — <SPAN class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</SPAN></LI><LI><A href="s2-004.html" title="S2-004">S2-004</A> — <SPAN class="smalltext">Directory traversal vulnerability while serving static content</SPAN></LI><LI><A href="s2-005.html" title="S2-005">S2-005</A> — <SPAN class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</SPAN></LI><LI><A href="s2-006.html" title="S2-006">S2-006</A> — <SPAN class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</SPAN></LI><LI><A href="s2-007.html" t
itle="S2-007">S2-007</A> — <SPAN class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</SPAN></LI><LI><A href="s2-008.html" title="S2-008">S2-008</A> — <SPAN class="smalltext">Multiple critical vulnerabilities in Struts2</SPAN></LI><LI><A href="s2-009.html" title="S2-009">S2-009</A> — <SPAN class="smalltext">ParameterInterceptor vulnerability allows remote command execution</SPAN></LI><LI><A href="s2-010.html" title="S2-010">S2-010</A> — <SPAN class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</SPAN></LI><LI><A href="s2-011.html" title="S2-011">S2-011</A> — <SPAN class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</SPAN></LI><LI><A href="s2-012.html" title="S2-012">S2-012</A> — <SPAN class="smalltext">Showcase app vulnerability allows remote command execut
ion</SPAN></LI><LI><A href="s2-013.html" title="S2-013">S2-013</A> — <SPAN class="smalltext">A vulnerability, present in the <EM>includeParams</EM> attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command execution</SPAN></LI><LI><A href="s2-014.html" title="S2-014">S2-014</A> — <SPAN class="smalltext">A vulnerability introduced by forcing parameter inclusion in the <EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command execution, session access and manipulation and XSS attacks</SPAN></LI><LI><A href="s2-015.html" title="S2-015">S2-015</A> — <SPAN class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</SPAN></LI></UL>
</DIV>
<DIV class="tabletitle">
@@ -178,7 +177,7 @@ under the License.
<A href="s2-014.html" title="S2-014">S2-014</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
- <A href="https://cwiki.apache.org/confluence/display/WW/S2-015" title="S2-015">S2-015</A>
+ <A href="s2-015.html" title="S2-015">S2-015</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
</DIV>