exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Struts 2 / XWork / WebWork Path Disclosure

Apache Struts 2 / XWork / WebWork Path Disclosure
Posted May 20, 2011
Authored by Dr. Marian Ventuneac

Apache Struts 2, XWork, and WebWork suffer from a java class path information disclosure vulnerability.

tags | advisory, java, info disclosure
advisories | CVE-2011-2088
SHA-256 | c0a84cb525b74d5273cbf496e7540533059cf934a7f4b582b6c01dd9bfa689f7

Apache Struts 2 / XWork / WebWork Path Disclosure

Change Mirror Download

Security Advisory: MVSA-11-007 (http://www.ventuneac.net/security-advisories/MVSA-11-007)

CVE: CVE-2011-2088

Vendors: Apache Software Foundation, OpenSymphony

Products: Struts 2, XWork , WebWork

Vulnerabilities: Java Class Path Information Disclosure

Risk: Medium

Attack Vector: From Remote

Authentication: Not Required

References:
http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
https://issues.apache.org/jira/browse/WW-3579


Description

XWork before version 2.2.1 allows Java class path disclosure when non-existent method is requested

* using <s:submit> tag with and Dynamic Method Invocation (DMI) enabled.
* using bang notation (actionclass!method.action) with Dynamic Method Invocation (DMI) enabled

Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar attacks.

1. Using <s:submit> tag with Dynamic Method Invocation (DMI) enabled.

a. Test case for Struts 2.2.1 with XWork 2.2.1

http://test.app.net/home.action?user=&password=&action!login:cantLogin_1=some_value

XWork generated error:

some_path.action.LoginAction.cantLogin_1()

2. Using bang notation actionclass!method.action with Dynamic Method Invocation (DMI) enabled

a. Test case for Struts 2.2.1 with XWork 2.2.1

http://127.0.0.1:8088/struts2-showcase/token/tokenPrepare2!input1.action

XWork generated error:

org.apache.struts2.showcase.token.TokenAction.input1()

b. Test case for Struts 2.0.6 with XWork 2.0.1

http://127.0.0.1:8088/struts2-showcase-2.0.6/token/tokenPrepare2!input1.action

XWork generated error:

java.lang.NoSuchMethodException: org.apache.struts2.showcase.token.TokenAction.input1()


Affected Versions

Multiple releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable to this vulnerability.

Other open source and commercial products using XWork framework could be vulnerable to similar attacks.

WebWork framework released by OpenSymphony (http://opensymphony.org) was confirmed as vulnerable to the second attack described in this advisory.

Mitigation

It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May 2011, or to the latest available version.

Alternatively, it is recommended to implement a custom error page (eg. error_page.jsp) which either uses proper output encoding to display XWork generated errors or displays a generic error message. An example of Struts configuration (required in struts.xml file) is shown below:


<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>


Disclosure Timeline

2011, February 18: Vulnerabilities discovered and documented
2011, February 18: First notification sent to Apache
2011, February 21: Second notification sent to Apache
2011, February 22: WW-3579 JIRA ticket created
2011, February 22: Apache acknowledges receiving the report
2011, February 22: Apache acknowledges the vulnerabilities
2011, March 27: Apache Struts 2.2.2 test build released
2011, April 8: Apache Struts 2.2.3 test build released
2011, May 5: Apache Struts 2.2.3 general availability build released
2011, May 18: MVSA-11-007 advisory published.


MVSA-11-007
Dr. Marian Ventuneac
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close