Over a million developers have joined DZone.

Important Security Update for Struts 2.0.x

DZone's Guide to

Important Security Update for Struts 2.0.x

· ·
Free Resource

If you're using Struts 2.0.x you should upgrade to in order to fix a vulnerability reported by Meder Kydyraliev of Google's security team:

I believe I've discovered a vulnerability that allows attackers to
bypass security measures implemented in ParametersInterceptor. OGNL is
a pretty complex language and provides a lot of features, so, for
example, using expression evaluation
( http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)
it is possible to bypass the '#' protection and modify objects in the
context. So, for instance, to set #session.user to '0wn3d' the
following parameter name can be used:

('\u0023' + 'session[\'user\']')(unused)=0wn3d

which will look as follows once URL encoded:


I am not sure what's the percentage of users that are actually using
parameter names more complex than foo.bar or foo['bar']/foo[0] , but
if the precentage is low, it may be a good idea to whitelist a set of
characters and only allow parameter names that match the whitelist.
Maybe making this expression configurable to allow for more complex


(Click here for more details.)


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}