| Key: |
WW-2107
|
| Type: |
Bug
|
| Status: |
Resolved
|
| Resolution: |
Fixed
|
| Priority: |
Blocker
|
| Assignee: |
Don Brown
|
| Reporter: |
Don Brown
|
| Votes: |
1
|
| Watchers: |
5
|
|
If you were logged in you would be able to see more operations.
|
|
|
|
Issue Links:
|
Reference
|
|
This issue relates to:
|
|
WW-2030
User input is evaluated as an OGNL expression
|
|
|
|
|
WW-2160
Disable static method access in OGNL expressions by default
|
|
|
|
|
|
|
|
|
It is possible for a user to submit malicious OGNL that could be executed in a page that uses JSP EL expressions in Struts tag attributes. FreeMarker pages that use FreeMarker expressions in Struts tag attributes are also affected. Velocity pages are not affected.
For example, say you had this JSP page fragement:
<s:text name="foo" value="${bar}" />
And a user submitted, via a validation error or request url query parameter, the value:
bar=%{1+1}
What happens is the JSP processor gets the page first and processes the JSP EL expression resulting in:
<s:text name="foo" value="%{1+1}" />
Then, the Struts 2 tag receives the 'value' attribute value and processes the OGNL expression, resulting in this:
<input type="text" name="foo" value="2" />
The workaround is to ensure you don't use JSP EL or FreeMarker expressions in Struts tag attributes because you could be unwittingly allowing arbitrary code execution.
The proposed solution is to turn off, via the TLD, JSP EL expressions in all Struts tag attributes. This will mostly likely break many Struts 2 applications, but the severity of the issue needs to be taken into account. This solution doesn't unfortunately resolve the FreeMarker issue.
|
|
Description
|
It is possible for a user to submit malicious OGNL that could be executed in a page that uses JSP EL expressions in Struts tag attributes. FreeMarker pages that use FreeMarker expressions in Struts tag attributes are also affected. Velocity pages are not affected.
For example, say you had this JSP page fragement:
<s:text name="foo" value="${bar}" />
And a user submitted, via a validation error or request url query parameter, the value:
bar=%{1+1}
What happens is the JSP processor gets the page first and processes the JSP EL expression resulting in:
<s:text name="foo" value="%{1+1}" />
Then, the Struts 2 tag receives the 'value' attribute value and processes the OGNL expression, resulting in this:
<input type="text" name="foo" value="2" />
The workaround is to ensure you don't use JSP EL or FreeMarker expressions in Struts tag attributes because you could be unwittingly allowing arbitrary code execution.
The proposed solution is to turn off, via the TLD, JSP EL expressions in all Struts tag attributes. This will mostly likely break many Struts 2 applications, but the severity of the issue needs to be taken into account. This solution doesn't unfortunately resolve the FreeMarker issue. |
Show » |
made changes - 13/Aug/07 07:48 AM
| Field |
Original Value |
New Value |
|
Description
|
It is possible for a user to submit malicious OGNL that could be executed in a page that uses JSP EL expressions in Struts tag attributes. FreeMarker pages that use FreeMarker expressions in Struts tag attributes are also affected.
For example, say you had this JSP page fragement:
<s:text name="foo" value="${bar}" />
And a user submitted, via a validation error or request url query parameter, the value:
bar=%{1+1}
What happens is the JSP processor gets the page first and processes the JSP EL expression resulting in:
<s:text name="foo" value="%{1+1}" />
Then, the Struts 2 tag receives the 'value' attribute value and processes the OGNL expression, resulting in this:
<input type="text" name="foo" value="2" />
The workaround is to ensure you don't use JSP EL or FreeMarker expressions in Struts tag attributes because you could be unwittingly allowing arbitrary code execution.
The proposed solution is to turn off, via the TLD, JSP EL expressions in all Struts tag attributes. This will mostly likely break many Struts 2 applications, but the severity of the issue needs to be taken into account. This solution doesn't unfortunately resolve the FreeMarker issue.
|
It is possible for a user to submit malicious OGNL that could be executed in a page that uses JSP EL expressions in Struts tag attributes. FreeMarker pages that use FreeMarker expressions in Struts tag attributes are also affected. Velocity pages are not affected.
For example, say you had this JSP page fragement:
<s:text name="foo" value="${bar}" />
And a user submitted, via a validation error or request url query parameter, the value:
bar=%{1+1}
What happens is the JSP processor gets the page first and processes the JSP EL expression resulting in:
<s:text name="foo" value="%{1+1}" />
Then, the Struts 2 tag receives the 'value' attribute value and processes the OGNL expression, resulting in this:
<input type="text" name="foo" value="2" />
The workaround is to ensure you don't use JSP EL or FreeMarker expressions in Struts tag attributes because you could be unwittingly allowing arbitrary code execution.
The proposed solution is to turn off, via the TLD, JSP EL expressions in all Struts tag attributes. This will mostly likely break many Struts 2 applications, but the severity of the issue needs to be taken into account. This solution doesn't unfortunately resolve the FreeMarker issue.
|
made changes - 13/Aug/07 07:50 AM
|
Link
|
|
This issue relates to WW-2030
[ WW-2030
]
|
made changes - 03/Sep/07 02:03 AM
|
Assignee
|
|
Don Brown
[ mrdon
]
|
|
Resolution
|
|
Fixed
[ 1
]
|
|
Status
|
Open
[ 1
]
|
Resolved
[ 5
]
|
made changes - 07/Sep/07 03:25 PM
|
Link
|
|
This issue relates to WW-2160
[ WW-2160
]
|
made changes - 08/Jan/09 08:57 AM
|
Workflow
|
Struts - editable closed status
[ 44384
]
|
Struts - editable closed status (temporary)
[ 46561
]
|
made changes - 08/Jan/09 09:06 AM
|
Workflow
|
Struts - editable closed status (temporary)
[ 46561
]
|
Struts - editable closed status
[ 52412
]
|
|
