Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-2692

XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.0.11.2, 2.1.0, 2.1.1, 2.1.2
    • 2.0.12, 2.1.3
    • Core Interceptors
    • None

    Description

      Meder Kydyraliev of the Google Security Team reported a vulnerability to the XWork team that allows attackers to bypass security measures implemented in ParametersInterceptor to inject OGNL expressions.
      Since XWork is the foundation of Struts2, this must be considered a Struts2 vulnerability as well.

      For a full description, see
      http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641

      Attachments

        Activity

          People

            rgielen René Gielen
            rgielen René Gielen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: