struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yasser Zamani <yasser.zam...@live.com>
Subject Re: Struts 2.3.31 is excluding generic object.
Date Sun, 12 Mar 2017 14:57:57 GMT
Hi Anurag,

I hope it's not too late but I have some comments.

Today we updated to Struts2.3.32 to fix security issue S2-045.

After that, similar to your problem, we lost following OGNL evaluation 
to null in our JSPs :(
 
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"

After much time, I've fixed that as below which you may like :)

1. Extending StrutsPrepareAndExecuteFilter
package utils;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts2.StrutsStatics;
import org.apache.struts2.dispatcher.StrutsRequestWrapper;
import 
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter;

import com.opensymphony.xwork2.ActionContext;

/**
  * @author Yasser Zamani
  *
  */
public class MYStrutsPrepareAndExecuteFilter extends 
StrutsPrepareAndExecuteFilter {

	private MYOgnlUtils myOgnlUtils = new MYOgnlUtils();

	@Override
	public void doFilter(ServletRequest req, ServletResponse res, 
FilterChain chain)
			throws IOException, ServletException {
		req.setAttribute("my.ognl_utils", myOgnlUtils);
		try {
			super.doFilter(req, res, chain);
		} finally {
			req.removeAttribute("my.ognl_utils");
		}
	}

	public class MYOgnlUtils {
		public String getRequestURI() {
			StrutsRequestWrapper srw = ((StrutsRequestWrapper) 
ActionContext.getContext()
					.get(StrutsStatics.HTTP_REQUEST));
			return srw.getRequestURI();
		}
	}
}

2. web.xml
  <filter>
   <filter-name>struts2</filter-name>
   <filter-class>utils.MYStrutsPrepareAndExecuteFilter</filter-class>
  </filter>

3. JSPs
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].getAttribute('taam.ognl_utils').requestURI}"

**You may implement in similar way without excluding generic object.**

Good Luck,
Yasser.

On 2/1/2017 3:46 AM, Yasser Zamani wrote:
> Yes I think. https://www.exploit-db.com/exploits/33142/ says there will
> be a remote command execution vulnerability. You may try that exploit
> and see for any results on your
> server.<https://www.exploit-db.com/exploits/33142/>
>
> Apache Struts - ClassLoader Manipulation Remote Code ...
> <https://www.exploit-db.com/exploits/33142/>
> www.exploit-db.com
> Apache Struts - ClassLoader Manipulation Remote Code Execution
> (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit
> for Multiple platform....
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Anurag kumar <anurag.piyush16@gmail.com>
> *Sent:* Tuesday, January 31, 2017 6:53 PM
> *To:* dev@struts.apache.org
> *Subject:* Struts 2.3.31 is excluding generic object.
>
> Hi,
>
> My Action class returns generic object and It was working fine with
> struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding
> generic object.
> I found <constant name="struts.excludedClasses"> constant in
> struts-default.xml while searching. Here java.lang.Object is excluded.
> My concern is if I am overriding this constant in my struts.xml file
> after removing java.lang.Object .Will it have a huge impact on security?
>
>
> Thanks
> Anurag
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message