[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Apache Struts 2, XWork, OpenSymphony WebWork Java Class Path Information Disclosure
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Apache Struts 2, XWork, OpenSymphony WebWork Java Class Path Information Disclosure
- From: marian.ventuneac@xxxxxxxxx
- Date: Wed, 18 May 2011 15:40:53 -0600
Security Advisory: MVSA-11-007
(http://www.ventuneac.net/security-advisories/MVSA-11-007)
CVE: CVE-2011-2088
Vendors: Apache Software Foundation, OpenSymphony
Products: Struts 2, XWork , WebWork
Vulnerabilities: Java Class Path Information Disclosure
Risk: Medium
Attack Vector: From Remote
Authentication: Not Required
References:
http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
https://issues.apache.org/jira/browse/WW-3579
Description
XWork before version 2.2.1 allows Java class path disclosure when non-existent
method is requested
* using <s:submit> tag with and Dynamic Method Invocation (DMI) enabled.
* using bang notation (actionclass!method.action) with Dynamic Method
Invocation (DMI) enabled
Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar
attacks.
1. Using <s:submit> tag with Dynamic Method Invocation (DMI) enabled.
a. Test case for Struts 2.2.1 with XWork 2.2.1
http://test.app.net/home.action?user=&password=&action!login:cantLogin_1=some_value
XWork generated error:
some_path.action.LoginAction.cantLogin_1()
2. Using bang notation actionclass!method.action with Dynamic Method Invocation
(DMI) enabled
a. Test case for Struts 2.2.1 with XWork 2.2.1
http://127.0.0.1:8088/struts2-showcase/token/tokenPrepare2!input1.action
XWork generated error:
org.apache.struts2.showcase.token.TokenAction.input1()
b. Test case for Struts 2.0.6 with XWork 2.0.1
http://127.0.0.1:8088/struts2-showcase-2.0.6/token/tokenPrepare2!input1.action
XWork generated error:
java.lang.NoSuchMethodException:
org.apache.struts2.showcase.token.TokenAction.input1()
Affected Versions
Multiple releases of Apache Struts 2 framework prior to 2.2.3 were found
vulnerable to this vulnerability.
Other open source and commercial products using XWork framework could be
vulnerable to similar attacks.
WebWork framework released by OpenSymphony (http://opensymphony.org) was
confirmed as vulnerable to the second attack described in this advisory.
Mitigation
It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May
2011, or to the latest available version.
Alternatively, it is recommended to implement a custom error page (eg.
error_page.jsp) which either uses proper output encoding to display XWork
generated errors or displays a generic error message. An example of Struts
configuration (required in struts.xml file) is shown below:
?
<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
?
Disclosure Timeline
2011, February 18: Vulnerabilities discovered and documented
2011, February 18: First notification sent to Apache
2011, February 21: Second notification sent to Apache
2011, February 22: WW-3579 JIRA ticket created
2011, February 22: Apache acknowledges receiving the report
2011, February 22: Apache acknowledges the vulnerabilities
2011, March 27: Apache Struts 2.2.2 test build released
2011, April 8: Apache Struts 2.2.3 test build released
2011, May 5: Apache Struts 2.2.3 general availability build released
2011, May 18: MVSA-11-007 advisory published.
MVSA-11-007
Dr. Marian Ventuneac