Platinum Partner

Important Security Update for Struts 2.0.x

If you're using Struts 2.0.x you should upgrade to 2.0.11.2 in order to fix a vulnerability reported by Meder Kydyraliev of Google's security team:

I believe I've discovered a vulnerability that allows attackers to
bypass security measures implemented in ParametersInterceptor. OGNL is
a pretty complex language and provides a lot of features, so, for
example, using expression evaluation
(http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)
it is possible to bypass the '#' protection and modify objects in the
context. So, for instance, to set #session.user to '0wn3d' the
following parameter name can be used:

('\u0023' + 'session[\'user\']')(unused)=0wn3d

which will look as follows once URL encoded:

('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d

I am not sure what's the percentage of users that are actually using
parameter names more complex than foo.bar or foo['bar']/foo[0] , but
if the precentage is low, it may be a good idea to whitelist a set of
characters and only allow parameter names that match the whitelist.
Maybe making this expression configurable to allow for more complex
cases.

 

(Click here for more details.)

{{ tag }}, {{tag}},

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}
{{ parent.authors[0].realName || parent.author}}

{{ parent.authors[0].tagline || parent.tagline }}

{{ parent.views }} ViewsClicks
Tweet

{{parent.nComments}}