XWork 'ParameterInterceptor'类OGNL安全绕过漏洞

2008-11-06T00:00:00
ID SSV:4403
Type seebug
Reporter Root
Modified 2008-11-06T00:00:00

Description

BUGTRAQ ID: 32101 CNCAN ID:CNCAN-2008110505

XWork是一款命令模式框架,用于支持Struts 2及其他应用。 XWork存在设计问题,远程攻击者可以利用漏洞绕过安全限制,操作服务端上下文对象。 XWork ParametersInterceptor实现存在安全绕过问题,OGNL是复杂的语言提供大量特性,如使用表达式评估: http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html 可能绕过'#'保护和修改内容中的对象,如设置#session.user设置为'0wn3d',可使用如下参数名: ('\u0023' + 'session[\'user\']')(unused)=0wn3d 这看起来会形成如下URL编码: ('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d 攻击者可以利用此问题以用户运行的应用程序特权操作服务端的内容上下文,破坏应用程序或对系统进行攻击。

OpenSymphony XWork 2.0.5 OpenSymphony XWork 2.0.4 OpenSymphony XWork 2.0.3 OpenSymphony XWork 2.0.2 OpenSymphony XWork 2.0.1 Apache Software Foundation Struts 2.0.11 .2 Apache Software Foundation Struts 2.0.9 Apache Software Foundation Struts 2.0.8 Apache Software Foundation Struts 2.0.7 Apache Software Foundation Struts 2.0.6 Apache Software Foundation Struts 2.0.5 Apache Software Foundation Struts 2.0.4 Apache Software Foundation Struts 2.0.3 Apache Software Foundation Struts 2.0.2 Apache Software Foundation Struts 2.0.1 Apache Software Foundation Struts 2.0 XWork 2.0.6已经修正此漏洞: Apache Software Foundation Struts 2.0 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.1 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.11 .2 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.2 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.3 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.4 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.5 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.6 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.7 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.8 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.9 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a>