Security Advisory: MVSA-11-007 (http://www.ventuneac.net/security-advisories/MVSA-11-007) CVE: CVE-2011-2088 Vendors: Apache Software Foundation, OpenSymphony Products: Struts 2, XWork , WebWork Vulnerabilities: Java Class Path Information Disclosure Risk: Medium Attack Vector: From Remote Authentication: Not Required References: http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html https://issues.apache.org/jira/browse/WW-3579 Description XWork before version 2.2.1 allows Java class path disclosure when non-existent method is requested * using tag with and Dynamic Method Invocation (DMI) enabled. * using bang notation (actionclass!method.action) with Dynamic Method Invocation (DMI) enabled Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar attacks. 1. Using tag with Dynamic Method Invocation (DMI) enabled. a. Test case for Struts 2.2.1 with XWork 2.2.1 http://test.app.net/home.action?user=&password=&action!login:cantLogin_1=some_value XWork generated error: some_path.action.LoginAction.cantLogin_1() 2. Using bang notation actionclass!method.action with Dynamic Method Invocation (DMI) enabled a. Test case for Struts 2.2.1 with XWork 2.2.1 http://127.0.0.1:8088/struts2-showcase/token/tokenPrepare2!input1.action XWork generated error: org.apache.struts2.showcase.token.TokenAction.input1() b. Test case for Struts 2.0.6 with XWork 2.0.1 http://127.0.0.1:8088/struts2-showcase-2.0.6/token/tokenPrepare2!input1.action XWork generated error: java.lang.NoSuchMethodException: org.apache.struts2.showcase.token.TokenAction.input1() Affected Versions Multiple releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable to this vulnerability. Other open source and commercial products using XWork framework could be vulnerable to similar attacks. WebWork framework released by OpenSymphony (http://opensymphony.org) was confirmed as vulnerable to the second attack described in this advisory. Mitigation It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May 2011, or to the latest available version. Alternatively, it is recommended to implement a custom error page (eg. error_page.jsp) which either uses proper output encoding to display XWork generated errors or displays a generic error message. An example of Struts configuration (required in struts.xml file) is shown below: … /error_page.jsp … Disclosure Timeline 2011, February 18: Vulnerabilities discovered and documented 2011, February 18: First notification sent to Apache 2011, February 21: Second notification sent to Apache 2011, February 22: WW-3579 JIRA ticket created 2011, February 22: Apache acknowledges receiving the report 2011, February 22: Apache acknowledges the vulnerabilities 2011, March 27: Apache Struts 2.2.2 test build released 2011, April 8: Apache Struts 2.2.3 test build released 2011, May 5: Apache Struts 2.2.3 general availability build released 2011, May 18: MVSA-11-007 advisory published. MVSA-11-007 Dr. Marian Ventuneac