You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/06/17 12:26:20 UTC
svn commit: r990786 [1/4] - in /websites/production/struts/content: ./ docs/
Author: lukaszlenart
Date: Fri Jun 17 12:26:19 2016
New Revision: 990786
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-035.html
websites/production/struts/content/docs/s2-036.html
websites/production/struts/content/docs/s2-037.html
websites/production/struts/content/docs/s2-038.html
websites/production/struts/content/docs/s2-039.html
websites/production/struts/content/docs/s2-040.html
websites/production/struts/content/docs/s2-041.html
websites/production/struts/content/docs/version-notes-2329.html
websites/production/struts/content/docs/version-notes-251.html
Modified:
websites/production/struts/content/announce.html
websites/production/struts/content/dev-mail.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/download.html
websites/production/struts/content/downloads.html
websites/production/struts/content/index.html
websites/production/struts/content/mail.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Fri Jun 17 12:26:19 2016
@@ -124,6 +124,73 @@
Skip to: <a href="announce-2015.html">Announcements - 2015</a>
</p>
+<h4 id="a20160617">17 June 2016 - Struts 2.3.29 General Availability with Security Fixes Release</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.3.29 is available as a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.</p>
+
+<p>This release addresses two potential security vulnerabilities:</p>
+
+<ul>
+ <li>
+ <p><a href="/docs/s2-035.html">S2-035</a>
+Action name clean up is error prone</p>
+ </li>
+ <li>
+ <p><a href="/docs/s2-036.html">S2-036</a>
+Forced double OGNL evaluation, when evaluated on raw user input in tag attributes,
+may lead to remote code execution (similar to S2-029)</p>
+ </li>
+ <li>
+ <p><a href="/docs/s2-037.html">S2-037</a>
+Remote Code Execution can be performed when using REST Plugin.</p>
+ </li>
+ <li>
+ <p><a href="/docs/s2-038.html">S2-038</a>
+It is possible to bypass token validation and perform a CSRF attack</p>
+ </li>
+ <li>
+ <p><a href="/docs/s2-039.html">S2-039</a>
+Getter as action method leads to security bypass</p>
+ </li>
+ <li>
+ <p><a href="/docs/s2-040.html">S2-040</a>
+Input validation bypass using existing default action method.</p>
+ </li>
+ <li>
+ <p><a href="/docs/s2-041.html">S2-041</a>
+Possible DoS attack when using URLValidator</p>
+ </li>
+</ul>
+
+<p>This release contains several breaking changes and improvements just to mention few of them:</p>
+
+<ul>
+ <li>Json result type breaks</li>
+ <li>MessageStorePreResultListener doesn’t store messages for 3rd-party RedirectResult subclasses</li>
+ <li>Multiple tiles.xml in web.xml</li>
+ <li>New Tiles version can not find tiles*.xml files in sub-directories</li>
+ <li>EmailValidator flags .cat emails as invalid</li>
+ <li>Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80</li>
+ <li>Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+</li>
+ <li><code class="highlighter-rouge"><s:submit></code> generates a value attribute for type=image which violates W3C</li>
+ <li>ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
+<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.</p>
+
+<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
+<p>You can download this version from our <a href="download.html#struts-ga">download</a> page.</p>
+
<h4 id="a20160601">1 June 2016 - Two security vulnerabilities reported</h4>
<p>Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions.
Modified: websites/production/struts/content/dev-mail.html
==============================================================================
--- websites/production/struts/content/dev-mail.html (original)
+++ websites/production/struts/content/dev-mail.html Fri Jun 17 12:26:19 2016
@@ -134,19 +134,19 @@ improvements and discussion on future St
<th>Description</th>
</tr>
<tr>
- <td>Struts-Dev</td>
+ <td><a href="https://lists.apache.org/list.html?dev@struts.apache.org">Struts-Dev</a></td>
<td><a href="mailto:dev-subscribe@struts.apache.org?subject=subscribe&body=subscribe">subscribe</a></td>
<td><a href="mailto:dev-unsubscribe@struts.apache.org?subject=unsubscribe&body=unsubscribe">unsubscribe</a></td>
<td>Contact other developers interested in expanding and improving Struts functionality.</td>
</tr>
<tr>
- <td>Struts-Commits</td>
+ <td><a href="https://lists.apache.org/list.html?commits@struts.apache.org">Struts-Commits</a></td>
<td><a href="mailto:commits-subscribe@struts.apache.org?subject=subscribe&body=subscribe">subscribe</a></td>
<td><a href="mailto:commits-unsubscribe@struts.apache.org?subject=unsubscribe&body=unsubscribe">unsubscribe</a></td>
<td>Receive notifications of changes to the Struts source code repository.</td>
</tr>
<tr>
- <td>Struts-Issues</td>
+ <td><a href="https://lists.apache.org/list.html?issues@struts.apache.org">Struts-Issues</a></td>
<td><a href="mailto:issues-subscribe@struts.apache.org?subject=subscribe&body=subscribe">subscribe</a></td>
<td><a href="mailto:issues-unsubscribe@struts.apache.org?subject=unsubscribe&body=unsubscribe">unsubscribe</a></td>
<td>Receive notifications from the Struts issue tracker.</td>
Added: websites/production/struts/content/docs/s2-035.html
==============================================================================
--- websites/production/struts/content/docs/s2-035.html (added)
+++ websites/production/struts/content/docs/s2-035.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-035</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-035.html">S2-035</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-035</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=63930371">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=63930371">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=63930371">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=63930371">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=63930371">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=63930371">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-035-Summary">Summary</h2>Action name clean up is error prone<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible wat to craft vulnerable payload</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></t
h><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color: rgb(23,35,59);"> 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span class="Apple-tab-span"><span>Alvaro</span> </span>Munoz alvaro dot munoz at hpe dot com</p><p>Sam Ng samn at hpe dot com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-4436</p></td></tr></tbody></table></div><h2 id="S2-035-Problem">Problem</h2><p>The method used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack.</p><h2 id="S2-035-Solution">Solution</h2><p>You should upgrade to latest Struts version or implement your own version of <code>ActionMapper</code> based on source code of receomened Struts versions.</p><h2
id="S2-035-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading Struts version.</p><h2 id="S2-035-Workaround">Workaround</h2><p>Implement your own version of clean up method which will throw an exception.</p><p> </p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-036.html
==============================================================================
--- websites/production/struts/content/docs/s2-036.html (added)
+++ websites/production/struts/content/docs/s2-036.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-036</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-036.html">S2-036</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-036</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64553424">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64553424">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64553424">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64553424">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64553424">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64553424">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-036-Summary">Summary</h2>Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values when r
e-assigning them to certain Struts' tags attributes.</p><p>Don't use %{...} syntax in tag attributes other than <em>value</em> unless you have a valid use-case.</p><p>Alternatively upgrade to <a shape="rect" href="version-notes-2328.html">Struts 2.3.29</a> or <a shape="rect" href="version-notes-251.html">Struts 2.5.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color: rgb(23,35,59);"> 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1" class="confluenceTd"><span class="Apple-tab-span"><span>Alvaro</span> </span>Munoz alvaro dot munoz at hpe.com</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></ta
ble></div><h2 id="S2-036-Problem">Problem</h2><p>The same issue was reported in <a shape="rect" href="s2-029.html">S2-029</a> but the proposed solutions were not fully proper. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2 id="S2-036-Solution">Solution</h2><p>Adding a proper validation of each value that's coming in and it's used in tag's attributes.</p><p>Don't use forced evaluation of an attribute other than <em>value</em> using %{...} syntax unless really needed for a valid use-case. </p><p>By <span style="line-height: 1.42857;">upgrading to Struts 2.3.29 or 2.5.1, possible malicious effects of forced double evaluation are limited.</span></p><h2 id="S2-036-Backwardcompatibility">Backward compatibility</h2><p>Some backward incompatibility issues are expected when upgrading to Stru
ts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.</p><h2 id="S2-036-Workaround">Workaround</h2><p>Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspects.</p><p> </p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-037.html
==============================================================================
--- websites/production/struts/content/docs/s2-037.html (added)
+++ websites/production/struts/content/docs/s2-037.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-037</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-037.html">S2-037</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-037</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64553426">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64553426">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64553426">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64553426">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64553426">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64553426">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-037-Summary">Summary</h2>Remote Code Execution can be performed when using REST Plugin.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect" href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Chao Jack <span style="color: rgb(34,34,34);">PKAV_香草</span> jc1990999 at yahoo dot com</p><p>Shinsaku Nomura nomura at bitforest dot jp</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-4438</p></td></tr></tbody></table></div><h2 id="S2-037-Problem">Problem</h2><p>It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when using the REST Plugin.</p><h2 id="S2-037-Solution">Solution</h2><p>Upgrade to Apache Struts version 2.3.29.</p><h2 id="S2-037-Backwardcompatibility">Backward compatibility</h2><p>Som
e backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.</p><h2 id="S2-037-Workaround">Workaround</h2><p>Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspects.</p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-038.html
==============================================================================
--- websites/production/struts/content/docs/s2-038.html (added)
+++ websites/production/struts/content/docs/s2-038.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,153 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-038</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-038.html">S2-038</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-038</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554066">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554066">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554066">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554066">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554066">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554066">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-038-Summary">Summary</h2>It is possible to bypass token validation and perform a CSRF attack<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible CSRF attack</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect" href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></tr><tr><th colspan="1" rowspan="1" cla
ss="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at gmail.com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-4430</p></td></tr></tbody></table></div><h2 id="S2-038-Problem">Problem</h2><p>It is possible to pass a malicious expression which can be used to bypass token validation and perform CSRF attack.</p><h2 id="S2-038-Solution">Solution</h2><p>Upgrade to Apache Struts version 2.3.29.</p><h2 id="S2-038-Backwardcompatibility">Backward compatibility</h2><p>Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop
working because of performing disallowed arithmetic operations and assignments.</p><h2 id="S2-038-Workaround">Workaround</h2><p>You can try to use more restrictive RegEx used to clean up action names as below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.allowed.action.names" value="[a-zA-Z]*" /></pre>
+</div></div><p>Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.</p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-039.html
==============================================================================
--- websites/production/struts/content/docs/s2-039.html (added)
+++ websites/production/struts/content/docs/s2-039.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,153 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-039</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-039.html">S2-039</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-039</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554069">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554069">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554069">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554069">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554069">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554069">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-039-Summary">Summary</h2>Getter as action method leads to security bypass<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible manipulation of return result and bypassing validation</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect" href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></tr><tr><th col
span="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at gmail.com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-4433</p></td></tr></tbody></table></div><h2 id="S2-039-Problem">Problem</h2><p>It is possible to pass a crafted request which can be used to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location.</p><h2 id="S2-039-Solution">Solution</h2><p>Upgrade to Apache Struts version 2.3.29.</p><h2 id="S2-039-Backwardcompatibility">Backward compatibility</h2><p>Some backward incompatibility issu
es are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments.</p><h2 id="S2-039-Workaround">Workaround</h2><p>You can try to use more restrictive RegEx used to clean up action names as below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.allowed.action.names" value="[a-zA-Z]*" /></pre>
+</div></div><p>Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.</p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-040.html
==============================================================================
--- websites/production/struts/content/docs/s2-040.html (added)
+++ websites/production/struts/content/docs/s2-040.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,153 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-040</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-040.html">S2-040</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-040</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554071">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554071">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554071">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554071">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554071">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554071">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-040-Summary">Summary</h2>Input validation bypass using existing default action method.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible manipulation of return result and bypassing validation</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect" href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></t
r><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at gmail.com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-4431</p></td></tr></tbody></table></div><h2 id="S2-040-Problem">Problem</h2><p>Using existing default method it can be possible to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location.</p><h2 id="S2-040-Solution">Solution</h2><p>Upgrade to Apache Struts version 2.3.29.</p><h2 id="S2-040-Backwardcompatibility">Backward compatibility</h2><p>Some backward incompatibility i
ssues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments.</p><h2 id="S2-040-Workaround">Workaround</h2><p>You can try to use more restrictive RegEx used to clean up action names as below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.allowed.action.names" value="[a-zA-Z]*" /></pre>
+</div></div><p>Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.</p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-041.html
==============================================================================
--- websites/production/struts/content/docs/s2-041.html (added)
+++ websites/production/struts/content/docs/s2-041.html Fri Jun 17 12:26:19 2016
@@ -0,0 +1,157 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-041</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-041.html">S2-041</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-041</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554186">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=64554186">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554186">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=64554186">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554186">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=64554186">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-041-Summary">Summary</h2>Possible DoS attack when using <code>URLValidator</code><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible DoS attack when using URLValidator</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect" href="version-notes-2329.html">Struts 2.3.29</a> or <a shape="rect" href="version-notes-2
51.html">Struts 2.5.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.28.1 and Struts 2.5</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>ASAI Ken tc535mr2 at gmail dot com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-4465</p></td></tr></tbody></table></div><h2 id="S2-041-Problem">Problem</h2><p>If an application allows enter na URL field in a form and built-in <code>URLValidator</code> is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.</p><h2 id="S2-041-Solution">Solution</h2><p>Upgrade to Apache Struts version 2.3.29 or 2.5
.1.</p><h2 id="S2-041-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-041-Workaround">Workaround</h2><p>You can redefine RegEx used by <code>URLValidator</code> as below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><validator type="url">
+ <param name="fieldName">myHomePage</param>
+ <param name="urlRegex">^(https?|ftp):\\/\\/(([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+(:([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+)?@)?(#?)((([a-z0-9]\\.|[a-z0-9][a-z0-9-]*[a-z0-9]\\.)*[a-z][a-z0-9-]*[a-z0-9]|((\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5])\\.){3}(\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5]))(:\\d+)?)(((\\/{0,1}([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)*(\\?([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?)?)?(#([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?$</param>
+ <message>Invalid homepage url</message>
+</validator></pre>
+</div></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>