Struts 2.3.31 is excluding generic object.

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Struts 2.3.31 is excluding generic object.

Anurag kumar
Hi,

My Action class returns generic object and It was working fine with struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding generic object.
I found <constant name="struts.excludedClasses"> constant in struts-default.xml while searching. Here java.lang.Object is excluded. My concern is if I am overriding this constant in my struts.xml file after removing java.lang.Object .Will it have a huge impact on security?


Thanks
Anurag

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.31 is excluding generic object.

Yasser Zamani
Yes I think. https://www.exploit-db.com/exploits/33142/ says there will be a remote command execution vulnerability. You may try that exploit and see for any results on your server.<https://www.exploit-db.com/exploits/33142/>

Apache Struts - ClassLoader Manipulation Remote Code ...<https://www.exploit-db.com/exploits/33142/>
www.exploit-db.com
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit for Multiple platform....




________________________________
From: Anurag kumar <[hidden email]>
Sent: Tuesday, January 31, 2017 6:53 PM
To: [hidden email]
Subject: Struts 2.3.31 is excluding generic object.

Hi,

My Action class returns generic object and It was working fine with struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding generic object.
I found <constant name="struts.excludedClasses"> constant in struts-default.xml while searching. Here java.lang.Object is excluded. My concern is if I am overriding this constant in my struts.xml file after removing java.lang.Object .Will it have a huge impact on security?


Thanks
Anurag

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.31 is excluding generic object.

Yasser Zamani
Hi Anurag,

I hope it's not too late but I have some comments.

Today we updated to Struts2.3.32 to fix security issue S2-045.

After that, similar to your problem, we lost following OGNL evaluation
to null in our JSPs :(
 
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"

After much time, I've fixed that as below which you may like :)

1. Extending StrutsPrepareAndExecuteFilter
package utils;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts2.StrutsStatics;
import org.apache.struts2.dispatcher.StrutsRequestWrapper;
import
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter;

import com.opensymphony.xwork2.ActionContext;

/**
  * @author Yasser Zamani
  *
  */
public class MYStrutsPrepareAndExecuteFilter extends
StrutsPrepareAndExecuteFilter {

        private MYOgnlUtils myOgnlUtils = new MYOgnlUtils();

        @Override
        public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain)
                        throws IOException, ServletException {
                req.setAttribute("my.ognl_utils", myOgnlUtils);
                try {
                        super.doFilter(req, res, chain);
                } finally {
                        req.removeAttribute("my.ognl_utils");
                }
        }

        public class MYOgnlUtils {
                public String getRequestURI() {
                        StrutsRequestWrapper srw = ((StrutsRequestWrapper)
ActionContext.getContext()
                                        .get(StrutsStatics.HTTP_REQUEST));
                        return srw.getRequestURI();
                }
        }
}

2. web.xml
  <filter>
   <filter-name>struts2</filter-name>
   <filter-class>utils.MYStrutsPrepareAndExecuteFilter</filter-class>
  </filter>

3. JSPs
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].getAttribute('taam.ognl_utils').requestURI}"

**You may implement in similar way without excluding generic object.**

Good Luck,
Yasser.

On 2/1/2017 3:46 AM, Yasser Zamani wrote:

> Yes I think. https://www.exploit-db.com/exploits/33142/ says there will
> be a remote command execution vulnerability. You may try that exploit
> and see for any results on your
> server.<https://www.exploit-db.com/exploits/33142/>
>
> Apache Struts - ClassLoader Manipulation Remote Code ...
> <https://www.exploit-db.com/exploits/33142/>
> www.exploit-db.com
> Apache Struts - ClassLoader Manipulation Remote Code Execution
> (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit
> for Multiple platform....
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Anurag kumar <[hidden email]>
> *Sent:* Tuesday, January 31, 2017 6:53 PM
> *To:* [hidden email]
> *Subject:* Struts 2.3.31 is excluding generic object.
>
> Hi,
>
> My Action class returns generic object and It was working fine with
> struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding
> generic object.
> I found <constant name="struts.excludedClasses"> constant in
> struts-default.xml while searching. Here java.lang.Object is excluded.
> My concern is if I am overriding this constant in my struts.xml file
> after removing java.lang.Object .Will it have a huge impact on security?
>
>
> Thanks
> Anurag
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.31 is excluding generic object.

Lukasz Lenart
2017-03-12 15:57 GMT+01:00 Yasser Zamani <[hidden email]>:

> Hi Anurag,
>
> I hope it's not too late but I have some comments.
>
> Today we updated to Struts2.3.32 to fix security issue S2-045.
>
> After that, similar to your problem, we lost following OGNL evaluation
> to null in our JSPs :(
>
> "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"

This is strange, this can only happen if you used OGNL 3.1.14 or
3.0.20 [1] but this wasn't part of Struts 2.3.32

https://github.com/jkuhnert/ognl#release-notes---version-3114-3020


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.31 is excluding generic object.

Yasser Zamani


On 3/12/2017 8:21 PM, Lukasz Lenart wrote:

> 2017-03-12 15:57 GMT+01:00 Yasser Zamani <[hidden email]>:
>> Hi Anurag,
>>
>> I hope it's not too late but I have some comments.
>>
>> Today we updated to Struts2.3.32 to fix security issue S2-045.
>>
>> After that, similar to your problem, we lost following OGNL evaluation
>> to null in our JSPs :(
>>
>> "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"
>
> This is strange, this can only happen if you used OGNL 3.1.14 or
> 3.0.20 [1] but this wasn't part of Struts 2.3.32
Don't worry Lukasz , it was not about #context accessibility; OGNL
successfully compiles and goes forward until
`javax.servlet.http.HttpServletRequest.getRequestURI()` but does not
continue any more and returns null since `javax` is in his excluded
packages due to security :)
>
> https://github.com/jkuhnert/ognl#release-notes---version-3114-3020
>
>
> Regards
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.31 is excluding generic object.

Lukasz Lenart
2017-03-12 18:48 GMT+01:00 Yasser Zamani <[hidden email]>:
>> This is strange, this can only happen if you used OGNL 3.1.14 or
>> 3.0.20 [1] but this wasn't part of Struts 2.3.32
> Don't worry Lukasz , it was not about #context accessibility; OGNL
> successfully compiles and goes forward until
> `javax.servlet.http.HttpServletRequest.getRequestURI()` but does not
> continue any more and returns null since `javax` is in his excluded
> packages due to security :)

Uf... ok :)


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]