struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r1008101 - /websites/production/struts/content/docs/s2-045.html
Date Fri, 10 Mar 2017 18:59:47 GMT
Author: lukaszlenart
Date: Fri Mar 10 18:59:47 2017
New Revision: 1008101

Log:
Updates production

Modified:
    websites/production/struts/content/docs/s2-045.html

Modified: websites/production/struts/content/docs/s2-045.html
==============================================================================
--- websites/production/struts/content/docs/s2-045.html (original)
+++ websites/production/struts/content/docs/s2-045.html Fri Mar 10 18:59:47 2017
@@ -34,6 +34,20 @@ under the License.
             color:                 #666;
         }
     </style>
+    <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet'
type='text/css' />
+    <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet'
type='text/css' />
+    <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script>
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
     <script type="text/javascript" language="javascript">
         var hide = null;
         var show = null;
@@ -125,7 +139,35 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible
Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file
upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
 html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts
2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span
style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng &lt;nike dot zheng
at dbappsecurity dot com dot cn&gt;</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2
id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with
a malicious&#160;<code>Content-Type</code>&#160;value. If the <code>Content-Type</code>&#160;value
isn't valid an exception is thrown which is then used to display an error me
 ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you
are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32
or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a>
of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No
backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement
a Servlet filter which will validate <code>Content-Type</code>&#160;and throw
away request with suspicious values not matching&#160;<code>multipart/form-data.</code></p></div>
+            <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible
Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file
upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
 html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts
2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span
style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng &lt;nike dot zheng
at dbappsecurity dot com dot cn&gt;</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2
id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with
a malicious&#160;<code>Content-Type</code>&#160;value. If the <code>Content-Type</code>&#160;value
isn't valid an exception is thrown which is then used to display an error me
 ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you
are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32
or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a>
of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No
backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement
a Servlet filter which will validate <code>Content-Type</code>&#160;and throw
away request with suspicious values not matching&#160;<code>multipart/form-data</code>.</p><p>Other
option is to remove the&#160;<a shape="rect" href="file-upload-interceptor.html">File
Upload Interceptor</a> from the stack, just define your own custom stack and set it
as a default - please read&#160;<a shape="rect" href="how-do-we-configure-an-interceptor-to-be-used-with-
 every-action.html">How do we configure an Interceptor to be used with every Action</a>.
This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;interceptors&gt;
+    &lt;interceptor-stack name="defaultWithoutUpload"&gt;
+        &lt;interceptor-ref name="exception"/&gt;
+        &lt;interceptor-ref name="alias"/&gt;
+        &lt;interceptor-ref name="servletConfig"/&gt;
+        &lt;interceptor-ref name="i18n"/&gt;
+        &lt;interceptor-ref name="prepare"/&gt;
+        &lt;interceptor-ref name="chain"/&gt;
+        &lt;interceptor-ref name="scopedModelDriven"/&gt;
+        &lt;interceptor-ref name="modelDriven"/&gt;
+        &lt;interceptor-ref name="checkbox"/&gt;
+        &lt;interceptor-ref name="datetime"/&gt;
+        &lt;interceptor-ref name="multiselect"/&gt;
+        &lt;interceptor-ref name="staticParams"/&gt;
+        &lt;interceptor-ref name="actionMappingParams"/&gt;
+        &lt;interceptor-ref name="params"/&gt;
+        &lt;interceptor-ref name="conversionError"/&gt;
+        &lt;interceptor-ref name="validation"&gt;
+            &lt;param name="excludeMethods"&gt;input,back,cancel,browse&lt;/param&gt;
+        &lt;/interceptor-ref&gt;
+        &lt;interceptor-ref name="workflow"&gt;
+            &lt;param name="excludeMethods"&gt;input,back,cancel,browse&lt;/param&gt;
+        &lt;/interceptor-ref&gt;
+        &lt;interceptor-ref name="debugging"/&gt;
+    &lt;/interceptor-stack&gt;
+&lt;/interceptors&gt;
+&lt;default-interceptor-ref name="defaultWithoutUpload"/&gt;</pre>
+</div></div></div>
         </div>
 
         



Mime
View raw message