Author: lukaszlenart
Date: Wed Jun 5 05:24:01 2013
New Revision: 864459
Log:
Adds missing version notes
Added:
websites/production/struts/content/release/2.3.x/docs/s2-015.html
Modified:
websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
Added: websites/production/struts/content/release/2.3.x/docs/s2-015.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/s2-015.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/s2-015.html Wed Jun
5 05:24:01 2013
@@ -0,0 +1,262 @@
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<HTML>
+ <HEAD>
+ <LINK type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <STYLE type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </STYLE>
+ <STYLE type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </STYLE>
+ <SCRIPT type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </SCRIPT>
+ <TITLE>S2-015</TITLE>
+ <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
+ <BODY onload="init()">
+ <TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
+ <TR class="topBar">
+ <TD align="left" valign="middle" class="topBarDiv" align="left"
nowrap="">
+ <A href="home.html" title="Apache Struts 2
Documentation">Apache Struts 2 Documentation</A> > <A
href="home.html" title="Home">Home</A> > <A
href="security-bulletins.html" title="Security Bulletins">Security
Bulletins</A> > <A href="" title="S2-015">S2-015</A>
+ </TD>
+ <TD align="right" valign="middle" nowrap="">
+ <FORM name="search" action="http://www.google.com/search";
method="get">
+ <INPUT type="hidden" name="ie" value="UTF-8">
+ <INPUT type="hidden" name="oe" value="UTF-8">
+ <INPUT type="hidden" name="domains" value="">
+ <INPUT type="hidden" name="sitesearch" value="">
+ <INPUT type="text" name="q" maxlength="255" value="">
+ <INPUT type="submit" name="btnG" value="Google Search">
+ </FORM>
+ </TD>
+ </TR>
+ </TABLE>
+
+ <DIV id="PageContent">
+ <DIV class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <DIV style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</DIV>
+ <DIV style="margin: 0px 10px 8px 10px" class="pagetitle">S2-015</DIV>
+
+ <DIV class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <A
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; height="16"
width="16" border="0" align="absmiddle" title="Edit Page"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638";>Edit
Page</A>
+
+ <A
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
height="16" width="16" border="0" align="absmiddle" title="Browse Space"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</A>
+
+ <A
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
height="16" width="16" border="0" align="absmiddle" title="Add Page"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638";>Add
Page</A>
+
+ <A
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
height="16" width="16" border="0" align="absmiddle" title="Add News"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638";>Add
News</A>
+ </DIV>
+ </DIV>
+
+ <DIV class="pagecontent">
+ <DIV class="wiki-content">
+ <H2><A name="S2-015-Summary"></A>Summary</H2>
+
+
+<P>A vulnerability introduced by wildcard matching mechanism or double
evaluation of OGNL Expression allows remote command execution.</P>
+
+
+<DIV class="table-wrap">
+<TABLE class="confluenceTable"><TBODY>
+<TR>
+<TH class="confluenceTh">Who should read this</TH>
+<TD class="confluenceTd">All Struts 2 developers and users</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Impact of vulnerability</TH>
+<TD class="confluenceTd">Remote command execution, remote server context
manipulation, injection of malicious client side code</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Maximum security rating</TH>
+<TD class="confluenceTd">Highly Critical</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Recommendation</TH>
+<TD class="confluenceTd">Developers should immediately upgrade to <A
href="http://struts.apache.org/download.cgi#struts23143"; class="external-link"
rel="nofollow">Struts 2.3.14.3</A></TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Affected Software</TH>
+<TD class="confluenceTd"> Struts 2.0.0 - Struts 2.3.14.2 </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Reporter</TH>
+<TD class="confluenceTd"> Jon Passki from Coverity Security Research
Laboratory reported directly to [email protected] and via <A
href="https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection";
class="external-link" rel="nofollow">blog post</A> </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">CVE Identifier</TH>
+<TD class="confluenceTd"><A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2135";
class="external-link" rel="nofollow">CVE-2013-2135</A>, <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2134";
class="external-link" rel="nofollow">CVE-2013-2134</A></TD>
+</TR>
+</TBODY></TABLE>
+</DIV>
+
+
+<H2><A name="S2-015-Problem"></A>Problem</H2>
+
+<P>Struts 2 allows define action mapping base on wildcards, like in example
below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><action name=<SPAN
class="code-quote">"*"</SPAN> class=<SPAN
class="code-quote">"example.ExampleSupport"</SPAN>></SPAN>
+ <SPAN class="code-tag"><result></SPAN>/example/{1}.jsp<SPAN
class="code-tag"></result></SPAN>
+<SPAN class="code-tag"></action></SPAN>
+</PRE>
+</DIV></DIV>
+
+<P>If a request doesn't match any other defined action, it will be matched by
<TT>*</TT> and requested action name will be used to load JSP file base on the
name of action. And as value of {<TT>1</TT>} is threaten as an OGNL expression,
thus allow to execute arbitrary Java code on server side. This vulnerability is
combination of two problems:</P>
+<UL class="alternate" type="square">
+ <LI>requested action name isn't escaped or checked agains whitelist</LI>
+ <LI>double evaluation of an OGNL expression in
<TT>TextParseUtil.translateVariables</TT> when combination of <TT>$</TT> and
<TT>%</TT> open chars is used.</LI>
+</UL>
+
+
+<H2><A name="S2-015-Proofofconcept"></A>Proof of concept</H2>
+
+<H4><A name="S2-015-Wildcardmatching"></A>Wildcard matching</H4>
+<OL>
+ <LI>Run struts2-blank app</LI>
+ <LI>Open the following url, resulting in dynamic action name resolution
based on passed value of <TT>#foo</TT>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D</SPAN></PRE>
+</DIV></DIV>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/${#foo='Menu',#foo}</SPAN></PRE>
+</DIV></DIV></LI>
+</OL>
+
+
+<P>As you can notice, action name is resolved based on user input and you can
put any arbitrary code to perform attack.</P>
+
+<H4><A name="S2-015-Doubleevaluationofanexpression"></A>Double evaluation of
an expression</H4>
+<OL>
+ <LI>Open example.xml present in the Struts Blank App and change result
of HelloWorld action to one below:
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><result type=<SPAN
class="code-quote">"httpheader"</SPAN>></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN
class="code-quote">"headers.foobar"</SPAN>></SPAN>${message}<SPAN
class="code-tag"></param></SPAN>
+<SPAN class="code-tag"></result></SPAN>
+</PRE>
+</DIV></DIV></LI>
+ <LI>Open HelloWorld.java and change <TT>execute()</TT> method as below:
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">
+<SPAN class="code-keyword">public</SPAN> <SPAN
class="code-object">String</SPAN> execute() <SPAN
class="code-keyword">throws</SPAN> Exception {
+ <SPAN class="code-keyword">return</SPAN> SUCCESS;
+}
+</PRE>
+</DIV></DIV></LI>
+ <LI>Run struts2-blank app</LI>
+ <LI>Open the following url (you must have a tool to check response
headers)
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/HelloWorld.action?message=%24{%25{1%2B2}}</SPAN></PRE>
+</DIV></DIV>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/HelloWorld.action?message=${%{1+2}}</SPAN></PRE>
+</DIV></DIV></LI>
+ <LI>Check value of <TT>foobar</TT> header, it should be <TT>3</TT></LI>
+</OL>
+
+
+<P>As you can notice, passed value of <TT>message</TT> parameter was used to
set value of <TT>foobar</TT> header and the value was double evaluated - first
time when <TT>${message</TT>} was evaluated, secondly when parsed value
(<TT>${%{1+2</TT>}}) was evaluated again.</P>
+
+<H2><A name="S2-015-Solution"></A>Solution</H2>
+
+<P>With the new version actions' names whitelisting was introduced and by
default is set to accept actions that match the following regex:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">[a-z]*[A-Z]*[0-9]*[.\-_!/]*</PRE>
+</DIV></DIV>
+<P>user can change the definition by setting up a new constant in struts.xml
as below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><constant name=<SPAN
class="code-quote">"struts.allowed.action.names"</SPAN> value=<SPAN
class="code-quote">"[a-zA-Z]*"</SPAN> /></SPAN>
+</PRE>
+</DIV></DIV>
+
+<P>Double evaluation of passed expression was removed from
<TT>OgnlTextParser</TT> which is used by
<TT>TextParseUtil.translateVariables</TT>.</P>
+
+<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Backward
Compatibility</B><BR>There should be no problems with migration from previous
version.</TD></TR></TABLE></DIV>
+
+<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>It is
strongly recommended to upgrade to <A
href="http://struts.apache.org/download.cgi#struts23143"; class="external-link"
rel="nofollow">Struts 2.3.14.3</A>.</B></TD></TR></TABLE></DIV>
+ </DIV>
+
+
+ </DIV>
+ </DIV>
+ <DIV class="footer">
+ Generated by
+ <A href="http://www.atlassian.com/confluence/";>Atlassian Confluence</A>
(Version: 3.4.9 Build: 2042 Feb 14, 2011)
+ <A href="http://could.it/autoexport/";>Auto Export Plugin</A> (Version:
1.0.0-dkulp)
+ </DIV>
+ </BODY>
+</HTML>
\ No newline at end of file
Modified:
websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
==============================================================================
---
websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
(original)
+++
websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
Wed Jun 5 05:24:01 2013
@@ -124,8 +124,7 @@ under the License.
<DIV class="pagecontent">
<DIV class="wiki-content">
<P>The following security bulletins are available:</P>
-
-<UL><LI><A href="s2-001.html" title="S2-001">S2-001</A> — <SPAN
class="smalltext">Remote code exploit on form validation
error</SPAN></LI><LI><A href="s2-002.html" title="S2-002">S2-002</A> —
<SPAN class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</SPAN></LI><LI><A href="s2-003.html"
title="S2-003">S2-003</A> — <SPAN class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</SPAN></LI><LI><A
href="s2-004.html" title="S2-004">S2-004</A> — <SPAN
class="smalltext">Directory traversal vulnerability while serving static
content</SPAN></LI><LI><A href="s2-005.html" title="S2-005">S2-005</A> —
<SPAN class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</SPAN></LI><LI><A href="s2-006.html"
title="S2-006">S2-006</A> — <SPAN class="smalltext">Multiple Cross-Site
Scripting (XSS) in XWork generated error pages</SPAN></LI><LI><A
href="s2-007.html" t
itle="S2-007">S2-007</A> — <SPAN class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</SPAN></LI><LI><A href="s2-008.html" title="S2-008">S2-008</A> —
<SPAN class="smalltext">Multiple critical vulnerabilities in
Struts2</SPAN></LI><LI><A href="s2-009.html" title="S2-009">S2-009</A> —
<SPAN class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</SPAN></LI><LI><A href="s2-010.html"
title="S2-010">S2-010</A> — <SPAN class="smalltext">When using Struts 2
token mechanism for CSRF protection, token check may be bypassed by misusing
known session attributes</SPAN></LI><LI><A href="s2-011.html"
title="S2-011">S2-011</A> — <SPAN class="smalltext">Long request
parameter names might significantly promote the effectiveness of DOS
attacks</SPAN></LI><LI><A href="s2-012.html" title="S2-012">S2-012</A> —
<SPAN class="smalltext">Showcase app vulnerability allows remote command execut
ion</SPAN></LI><LI><A href="s2-013.html" title="S2-013">S2-013</A> —
<SPAN class="smalltext">A vulnerability, present in the <EM>includeParams</EM>
attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command
execution</SPAN></LI><LI><A href="s2-014.html" title="S2-014">S2-014</A>
— <SPAN class="smalltext">A vulnerability introduced by forcing parameter
inclusion in the <EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command
execution, session access and manipulation and XSS attacks</SPAN></LI><LI><A
href="https://cwiki.apache.org/confluence/display/WW/S2-015";
title="S2-015">S2-015</A> — <SPAN class="smalltext">A vulnerability
introduced by wildcard matching mechanism or double evaluation of OGNL
Expression allows remote command execution</SPAN></LI></UL>
+<UL><LI><A href="s2-001.html" title="S2-001">S2-001</A> — <SPAN
class="smalltext">Remote code exploit on form validation
error</SPAN></LI><LI><A href="s2-002.html" title="S2-002">S2-002</A> —
<SPAN class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</SPAN></LI><LI><A href="s2-003.html"
title="S2-003">S2-003</A> — <SPAN class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</SPAN></LI><LI><A
href="s2-004.html" title="S2-004">S2-004</A> — <SPAN
class="smalltext">Directory traversal vulnerability while serving static
content</SPAN></LI><LI><A href="s2-005.html" title="S2-005">S2-005</A> —
<SPAN class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</SPAN></LI><LI><A href="s2-006.html"
title="S2-006">S2-006</A> — <SPAN class="smalltext">Multiple Cross-Site
Scripting (XSS) in XWork generated error pages</SPAN></LI><LI><A
href="s2-007.html" t
itle="S2-007">S2-007</A> — <SPAN class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</SPAN></LI><LI><A href="s2-008.html" title="S2-008">S2-008</A> —
<SPAN class="smalltext">Multiple critical vulnerabilities in
Struts2</SPAN></LI><LI><A href="s2-009.html" title="S2-009">S2-009</A> —
<SPAN class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</SPAN></LI><LI><A href="s2-010.html"
title="S2-010">S2-010</A> — <SPAN class="smalltext">When using Struts 2
token mechanism for CSRF protection, token check may be bypassed by misusing
known session attributes</SPAN></LI><LI><A href="s2-011.html"
title="S2-011">S2-011</A> — <SPAN class="smalltext">Long request
parameter names might significantly promote the effectiveness of DOS
attacks</SPAN></LI><LI><A href="s2-012.html" title="S2-012">S2-012</A> —
<SPAN class="smalltext">Showcase app vulnerability allows remote command execut
ion</SPAN></LI><LI><A href="s2-013.html" title="S2-013">S2-013</A> —
<SPAN class="smalltext">A vulnerability, present in the <EM>includeParams</EM>
attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command
execution</SPAN></LI><LI><A href="s2-014.html" title="S2-014">S2-014</A>
— <SPAN class="smalltext">A vulnerability introduced by forcing parameter
inclusion in the <EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command
execution, session access and manipulation and XSS attacks</SPAN></LI><LI><A
href="s2-015.html" title="S2-015">S2-015</A> — <SPAN class="smalltext">A
vulnerability introduced by wildcard matching mechanism or double evaluation of
OGNL Expression allows remote command execution.</SPAN></LI></UL>
</DIV>
<DIV class="tabletitle">
@@ -178,7 +177,7 @@ under the License.
<A href="s2-014.html" title="S2-014">S2-014</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
- <A
href="https://cwiki.apache.org/confluence/display/WW/S2-015";
title="S2-015">S2-015</A>
+ <A href="s2-015.html" title="S2-015">S2-015</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
</DIV>
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif"){kind=link}