Over a million developers have joined DZone.

Important Security Update for Struts 2.0.x


If you're using Struts 2.0.x you should upgrade to in order to fix a vulnerability reported by Meder Kydyraliev of Google's security team:

I believe I've discovered a vulnerability that allows attackers to
bypass security measures implemented in ParametersInterceptor. OGNL is
a pretty complex language and provides a lot of features, so, for
example, using expression evaluation
it is possible to bypass the '#' protection and modify objects in the
context. So, for instance, to set #session.user to '0wn3d' the
following parameter name can be used:

('\u0023' + 'session[\'user\']')(unused)=0wn3d

which will look as follows once URL encoded:


I am not sure what's the percentage of users that are actually using
parameter names more complex than foo.bar or foo['bar']/foo[0] , but
if the precentage is low, it may be a good idea to whitelist a set of
characters and only allow parameter names that match the whitelist.
Maybe making this expression configurable to allow for more complex


(Click here for more details.)


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}