Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-2030

User input is evaluated as an OGNL expression

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.0.8
    • 2.0.9
    • Value Stack
    • None
    • Important

    Description

      All user input, for example entered through a form, is evaluated as an OGNL expression.
      This leads to a remote exploit of possible malicious code execution of any kind, such as server shutdown or information theft.

      Moreover, it can lead to a DoS problem:
      On a form with:
      <s:textfield name="xxx">
      if the user enters %

      {xxx}

      as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.

      Attachments

        1. xwork2.diff
          4 kB
          Musachy Barroso
        2. xwork.diff
          3 kB
          Musachy Barroso
        3. translateVariable2.txt
          3 kB
          Andrea Vettori
        4. translateVariable.txt
          3 kB
          Andrea Vettori
        5. Struts2.diff
          2 kB
          Musachy Barroso
        6. Struts.diff
          0.6 kB
          Musachy Barroso
        7. no-recursion-in-text-parse.diff
          5 kB
          Donald J. Brown

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. WW-2107 Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              rainerh Rainer Hermanns
              mail@andreavettori.com Andrea Vettori
              Votes:
              6 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: