Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Important Security Update for Struts 2.0.x

DZone's Guide to

Important Security Update for Struts 2.0.x

·
Free Resource

If you're using Struts 2.0.x you should upgrade to 2.0.11.2 in order to fix a vulnerability reported by Meder Kydyraliev of Google's security team:

I believe I've discovered a vulnerability that allows attackers to
bypass security measures implemented in ParametersInterceptor. OGNL is
a pretty complex language and provides a lot of features, so, for
example, using expression evaluation
( http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)
it is possible to bypass the '#' protection and modify objects in the
context. So, for instance, to set #session.user to '0wn3d' the
following parameter name can be used:

('\u0023' + 'session[\'user\']')(unused)=0wn3d

which will look as follows once URL encoded:

('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d

I am not sure what's the percentage of users that are actually using
parameter names more complex than foo.bar or foo['bar']/foo[0] , but
if the precentage is low, it may be a good idea to whitelist a set of
characters and only allow parameter names that match the whitelist.
Maybe making this expression configurable to allow for more complex
cases.

 

(Click here for more details.)

Topics:

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}