You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Anurag kumar <an...@gmail.com> on 2017/01/31 15:23:14 UTC
Struts 2.3.31 is excluding generic object.
Hi,
My Action class returns generic object and It was working fine with struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding generic object.
I found <constant name="struts.excludedClasses"> constant in struts-default.xml while searching. Here java.lang.Object is excluded. My concern is if I am overriding this constant in my struts.xml file after removing java.lang.Object .Will it have a huge impact on security?
Thanks
Anurag
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Struts 2.3.31 is excluding generic object.
Posted by Lukasz Lenart <lu...@apache.org>.
2017-03-12 18:48 GMT+01:00 Yasser Zamani <ya...@live.com>:
>> This is strange, this can only happen if you used OGNL 3.1.14 or
>> 3.0.20 [1] but this wasn't part of Struts 2.3.32
> Don't worry Lukasz , it was not about #context accessibility; OGNL
> successfully compiles and goes forward until
> `javax.servlet.http.HttpServletRequest.getRequestURI()` but does not
> continue any more and returns null since `javax` is in his excluded
> packages due to security :)
Uf... ok :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Struts 2.3.31 is excluding generic object.
Posted by Yasser Zamani <ya...@live.com>.
On 3/12/2017 8:21 PM, Lukasz Lenart wrote:
> 2017-03-12 15:57 GMT+01:00 Yasser Zamani <ya...@live.com>:
>> Hi Anurag,
>>
>> I hope it's not too late but I have some comments.
>>
>> Today we updated to Struts2.3.32 to fix security issue S2-045.
>>
>> After that, similar to your problem, we lost following OGNL evaluation
>> to null in our JSPs :(
>>
>> "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"
>
> This is strange, this can only happen if you used OGNL 3.1.14 or
> 3.0.20 [1] but this wasn't part of Struts 2.3.32
Don't worry Lukasz , it was not about #context accessibility; OGNL
successfully compiles and goes forward until
`javax.servlet.http.HttpServletRequest.getRequestURI()` but does not
continue any more and returns null since `javax` is in his excluded
packages due to security :)
>
> https://github.com/jkuhnert/ognl#release-notes---version-3114-3020
>
>
> Regards
>
Re: Struts 2.3.31 is excluding generic object.
Posted by Lukasz Lenart <lu...@apache.org>.
2017-03-12 15:57 GMT+01:00 Yasser Zamani <ya...@live.com>:
> Hi Anurag,
>
> I hope it's not too late but I have some comments.
>
> Today we updated to Struts2.3.32 to fix security issue S2-045.
>
> After that, similar to your problem, we lost following OGNL evaluation
> to null in our JSPs :(
>
> "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"
This is strange, this can only happen if you used OGNL 3.1.14 or
3.0.20 [1] but this wasn't part of Struts 2.3.32
https://github.com/jkuhnert/ognl#release-notes---version-3114-3020
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Struts 2.3.31 is excluding generic object.
Posted by Yasser Zamani <ya...@live.com>.
Hi Anurag,
I hope it's not too late but I have some comments.
Today we updated to Struts2.3.32 to fix security issue S2-045.
After that, similar to your problem, we lost following OGNL evaluation
to null in our JSPs :(
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"
After much time, I've fixed that as below which you may like :)
1. Extending StrutsPrepareAndExecuteFilter
package utils;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts2.StrutsStatics;
import org.apache.struts2.dispatcher.StrutsRequestWrapper;
import
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter;
import com.opensymphony.xwork2.ActionContext;
/**
* @author Yasser Zamani
*
*/
public class MYStrutsPrepareAndExecuteFilter extends
StrutsPrepareAndExecuteFilter {
private MYOgnlUtils myOgnlUtils = new MYOgnlUtils();
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain)
throws IOException, ServletException {
req.setAttribute("my.ognl_utils", myOgnlUtils);
try {
super.doFilter(req, res, chain);
} finally {
req.removeAttribute("my.ognl_utils");
}
}
public class MYOgnlUtils {
public String getRequestURI() {
StrutsRequestWrapper srw = ((StrutsRequestWrapper)
ActionContext.getContext()
.get(StrutsStatics.HTTP_REQUEST));
return srw.getRequestURI();
}
}
}
2. web.xml
<filter>
<filter-name>struts2</filter-name>
<filter-class>utils.MYStrutsPrepareAndExecuteFilter</filter-class>
</filter>
3. JSPs
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].getAttribute('taam.ognl_utils').requestURI}"
**You may implement in similar way without excluding generic object.**
Good Luck,
Yasser.
On 2/1/2017 3:46 AM, Yasser Zamani wrote:
> Yes I think. https://www.exploit-db.com/exploits/33142/ says there will
> be a remote command execution vulnerability. You may try that exploit
> and see for any results on your
> server.<https://www.exploit-db.com/exploits/33142/>
>
> Apache Struts - ClassLoader Manipulation Remote Code ...
> <https://www.exploit-db.com/exploits/33142/>
> www.exploit-db.com
> Apache Struts - ClassLoader Manipulation Remote Code Execution
> (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit
> for Multiple platform....
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Anurag kumar <an...@gmail.com>
> *Sent:* Tuesday, January 31, 2017 6:53 PM
> *To:* dev@struts.apache.org
> *Subject:* Struts 2.3.31 is excluding generic object.
>
> Hi,
>
> My Action class returns generic object and It was working fine with
> struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding
> generic object.
> I found <constant name="struts.excludedClasses"> constant in
> struts-default.xml while searching. Here java.lang.Object is excluded.
> My concern is if I am overriding this constant in my struts.xml file
> after removing java.lang.Object .Will it have a huge impact on security?
>
>
> Thanks
> Anurag
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Struts 2.3.31 is excluding generic object.
Posted by Yasser Zamani <ya...@live.com>.
Yes I think. https://www.exploit-db.com/exploits/33142/ says there will be a remote command execution vulnerability. You may try that exploit and see for any results on your server.<https://www.exploit-db.com/exploits/33142/>
Apache Struts - ClassLoader Manipulation Remote Code ...<https://www.exploit-db.com/exploits/33142/>
www.exploit-db.com
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit for Multiple platform....
________________________________
From: Anurag kumar <an...@gmail.com>
Sent: Tuesday, January 31, 2017 6:53 PM
To: dev@struts.apache.org
Subject: Struts 2.3.31 is excluding generic object.
Hi,
My Action class returns generic object and It was working fine with struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding generic object.
I found <constant name="struts.excludedClasses"> constant in struts-default.xml while searching. Here java.lang.Object is excluded. My concern is if I am overriding this constant in my struts.xml file after removing java.lang.Object .Will it have a huge impact on security?
Thanks
Anurag
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org