Quantcast

OGNL expressions in headers and parameters

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OGNL expressions in headers and parameters

Tamás Barta
Hi,

Is there any way to disable evaluating OGNL expressions in HTTP headers and
request parameters?

Thanks,
Tamás
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Lukasz Lenart
2017-03-13 9:41 GMT+01:00 Tamás Barta <[hidden email]>:
> Hi,
>
> Is there any way to disable evaluating OGNL expressions in HTTP headers and
> request parameters?

There is no direct evaluation of request parameters nor headers. The
problem is that those values are often used by developers in JSPs or
in some other places and then the evaluation happens.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Tamás Barta
I mean I never want a http header or parameter be handled as OGNL
expression and got evaluated. I would like it to be retrieved as it is. For
security purpose.

On Mon, Mar 13, 2017 at 9:44 AM, Lukasz Lenart <[hidden email]>
wrote:

> 2017-03-13 9:41 GMT+01:00 Tamás Barta <[hidden email]>:
> > Hi,
> >
> > Is there any way to disable evaluating OGNL expressions in HTTP headers
> and
> > request parameters?
>
> There is no direct evaluation of request parameters nor headers. The
> problem is that those values are often used by developers in JSPs or
> in some other places and then the evaluation happens.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Lukasz Lenart
2017-03-13 9:50 GMT+01:00 Tamás Barta <[hidden email]>:
> I mean I never want a http header or parameter be handled as OGNL
> expression and got evaluated. I would like it to be retrieved as it is. For
> security purpose.

As I said, Struts doesn't evaluate incoming params as OGNL
expressions, but when you use such param in a JSP, it will be
evaluated.

<s:property name="%{#request.someParam}"/>

The same can happen in ActionSupport#getText() but this is out of
Struts control.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Tamás Barta
Interesting, I don't do such things. I write down the stack trace from
where it is executed (in 2.5.2).
This is the interesting part, there is no my code there.

StrutsPrepareAndExecuteFilter:100                       // boolean handled
= execute.executeStaticResourceRequest(request, response);
->
ExecuteOperations:59
 // StaticContentLoader staticResourceLoader =
dispatcher.getContainer().getInstance(StaticContentLoader.class);
->
Dispatcher:897                                                       //
Configuration config = mgr.getConfiguration();
->
ConfigurationManager:73
// conditionalReload();
->
OgnlValueStackFactory:64
// container.inject(stack);
...

I tried this test script and put breakpoint in
OgnlUtil.getExcludedClasses():
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

On Mon, Mar 13, 2017 at 10:11 AM, Lukasz Lenart <[hidden email]>
wrote:

> 2017-03-13 9:50 GMT+01:00 Tamás Barta <[hidden email]>:
> > I mean I never want a http header or parameter be handled as OGNL
> > expression and got evaluated. I would like it to be retrieved as it is.
> For
> > security purpose.
>
> As I said, Struts doesn't evaluate incoming params as OGNL
> expressions, but when you use such param in a JSP, it will be
> evaluated.
>
> <s:property name="%{#request.someParam}"/>
>
> The same can happen in ActionSupport#getText() but this is out of
> Struts control.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Lukasz Lenart
2017-03-13 10:43 GMT+01:00 Tamás Barta <[hidden email]>:

> Interesting, I don't do such things. I write down the stack trace from
> where it is executed (in 2.5.2).
> This is the interesting part, there is no my code there.
>
> StrutsPrepareAndExecuteFilter:100                       // boolean handled
> = execute.executeStaticResourceRequest(request, response);
> ->
> ExecuteOperations:59
>  // StaticContentLoader staticResourceLoader =
> dispatcher.getContainer().getInstance(StaticContentLoader.class);
> ->
> Dispatcher:897                                                       //
> Configuration config = mgr.getConfiguration();
> ->
> ConfigurationManager:73
> // conditionalReload();
> ->
> OgnlValueStackFactory:64
> // container.inject(stack);
> ...
>
> I tried this test script and put breakpoint in
> OgnlUtil.getExcludedClasses():
> https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

but this is a vulnerability, a bug which was already fixed. We also
are developers that make mistakes.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Tamás Barta
Lukasz, I don't write it to blame you. I very appreciate your work.

I just write to this list because it seems to me that these OGNL
expressions are evaluated before my code is executed and I wonder if it can
be disabled anyhow.
Can I turn off these auto-evaluated thinks if I don't need them at all? You
wrote that it is my code which initiates this, but I don't think so.

On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <[hidden email]>
wrote:

> 2017-03-13 10:43 GMT+01:00 Tamás Barta <[hidden email]>:
> > Interesting, I don't do such things. I write down the stack trace from
> > where it is executed (in 2.5.2).
> > This is the interesting part, there is no my code there.
> >
> > StrutsPrepareAndExecuteFilter:100                       // boolean
> handled
> > = execute.executeStaticResourceRequest(request, response);
> > ->
> > ExecuteOperations:59
> >  // StaticContentLoader staticResourceLoader =
> > dispatcher.getContainer().getInstance(StaticContentLoader.class);
> > ->
> > Dispatcher:897                                                       //
> > Configuration config = mgr.getConfiguration();
> > ->
> > ConfigurationManager:73
> > // conditionalReload();
> > ->
> > OgnlValueStackFactory:64
> > // container.inject(stack);
> > ...
> >
> > I tried this test script and put breakpoint in
> > OgnlUtil.getExcludedClasses():
> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
>
> but this is a vulnerability, a bug which was already fixed. We also
> are developers that make mistakes.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Lukasz Lenart
2017-03-13 10:54 GMT+01:00 Tamás Barta <[hidden email]>:
> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list because it seems to me that these OGNL
> expressions are evaluated before my code is executed and I wonder if it can
> be disabled anyhow.
> Can I turn off these auto-evaluated thinks if I don't need them at all? You
> wrote that it is my code which initiates this, but I don't think so.

Not sure what do you mean by the "auto-evaluated" - each expression to
be evaluated must be passed to an interpreter first (e.g. OGNL) so
there is no such thing like auto-evaluation of everything.

OGNL is used to convert incoming params and apply them onto your
actions (request param as a String -> OGNL -> an Object of given
type). You can pass an expression via such param e.g. %{'aaaaa' +
'bbbbb'} and it won't be evaluated, it will be applied literally as a
String.

The problem is when someone takes value of such param and passes it to
evaluator e.g. getText("%{'aaaaa' + 'bbbbb'}", "%{'aaaaa' + 'bbbbb'}")
- then the evaluation happens - but this a developer mistake not
"auto-evaluation".


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OGNL expressions in headers and parameters

Paweł Wielgus
In reply to this post by Tamás Barta
Hi Thomás,
aren't you testing old voulnerable version?

If so, try the new one.


--
Pozdrawiam,
Paweł Wielgus.
tel: +48 604 603 546


2017-03-13 10:54 GMT+01:00 Tamás Barta <[hidden email]>:

> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list because it seems to me that these OGNL
> expressions are evaluated before my code is executed and I wonder if it can
> be disabled anyhow.
> Can I turn off these auto-evaluated thinks if I don't need them at all? You
> wrote that it is my code which initiates this, but I don't think so.
>
> On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <[hidden email]>
> wrote:
>
>> 2017-03-13 10:43 GMT+01:00 Tamás Barta <[hidden email]>:
>> > Interesting, I don't do such things. I write down the stack trace from
>> > where it is executed (in 2.5.2).
>> > This is the interesting part, there is no my code there.
>> >
>> > StrutsPrepareAndExecuteFilter:100                       // boolean
>> handled
>> > = execute.executeStaticResourceRequest(request, response);
>> > ->
>> > ExecuteOperations:59
>> >  // StaticContentLoader staticResourceLoader =
>> > dispatcher.getContainer().getInstance(StaticContentLoader.class);
>> > ->
>> > Dispatcher:897                                                       //
>> > Configuration config = mgr.getConfiguration();
>> > ->
>> > ConfigurationManager:73
>> > // conditionalReload();
>> > ->
>> > OgnlValueStackFactory:64
>> > // container.inject(stack);
>> > ...
>> >
>> > I tried this test script and put breakpoint in
>> > OgnlUtil.getExcludedClasses():
>> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
>>
>> but this is a vulnerability, a bug which was already fixed. We also
>> are developers that make mistakes.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...