Multiple vulnerabilities in Apache Foundation Struts 2 framework. Csaba Barta and László Tóth



Similar documents
Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Penetration from application down to OS

SSO Plugin. J System Solutions. Upgrading SSO Plugin 3x to 4x - BMC AR System & Mid Tier.

T320 E-business technologies: foundations and practice

Creating Java EE Applications and Servlets with IntelliJ IDEA

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

BusinessObjects Enterprise XI Release 2

Managing Qualys Scanners

Security certificate management

Development. with NetBeans 5.0. A Quick Start in Basic Web and Struts Applications. Geertjan Wielenga

Overview of Web Services API

Microsoft Windows PowerShell v2 For Administrators

BAPI. Business Application Programming Interface. Compiled by Y R Nagesh 1

TCH Forecaster Installation Instructions

Web Applications. For live Java training, please see training courses at

Configuring the BBj Jetty Web Server (rev10.02) for OSAS

THE OPEN UNIVERSITY OF TANZANIA

BIRT Application and BIRT Report Deployment Functional Specification

Crystal Reports for Eclipse

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Make sure you have configured the following backup methods or your data may not be properly protected.

Feith Dashboard iq Server Version 8.1 Install Guide

Creating Web Services Applications with IntelliJ IDEA

CS506 Web Design and Development Solved Online Quiz No. 01

Proof of Concept. A New Data Validation Technique for Microsoft ASP.NET Web Applications. Foundstone Professional Services

2. Follow the installation directions and install the server on ccc

1. Building Testing Environment

Reporting Installation Checklist

Upgrading Your Web Server from ClientBase Browser Version 2.0 or Above to Version 2.1.1

Comparing Application Security Tools

Distributing SMS v2.0

What is Web Security? Motivation

Setting Up Scan to SMB on TaskALFA series MFP s.

Outlook Data File navigate to the PST file that you want to open, select it and choose OK. The file will now appear as a folder in Outlook.

AssetWise Performance Management. APM Remote Upgrade Guide

Technical Support Set-up Procedure

A Roadmap for Securing IIS 5.0

Apache JMeter HTTP(S) Test Script Recorder

Web Application Report

Instant Chime for IBM Sametime Installation Guide for Apache Tomcat and Microsoft SQL

Implementation of Web Application Firewall

SafeWord Domain Login Agent Step-by-Step Guide

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Tutorial: Building a Web Application with Struts

In this chapter, we lay the foundation for all our further discussions. We start

Tutorial: setting up a web application

Still Aren't Doing. Frank Kim

Web Services using Tomcat and Eclipse

How to hack VMware vcenter server in 60 seconds

Installation Manual (MSI Version)

Crystal Reports Integration Plugin for JIRA

SSO Plugin. Integration for BMC MyIT and SmartIT. J System Solutions. Version 4.0

Nintex Workflow 2010 Installation Guide. Installation Guide Nintex USA LLC, All rights reserved. Errors and omissions excepted.

HIC.SOAP Network User Instructions last updated June 22, :39 AM

Security Testing of Java web applications Using Static Bytecode Analysis of Deployed Applications

McAfee One Time Password

Managing Data on the World Wide-Web

Struts 2 - Practical examples

Automating client deployment

OrgPublisher 11 Web Administration Installation for Windows 2008 Server

PA165 - Lab session - Web Presentation Layer

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Adobe Systems Incorporated

Customizing the SSOSessionTimeout.jsp page for Kofax Front Office Server 3.5.2

Database Applications Recitation 10. Project 3: CMUQFlix CMUQ s Movies Recommendation System

dotdefender for IIS User Guide dotdefender for IIS - Manual Version 1.0

Owner of the content within this article is Written by Marc Grote

Important Release Information and Technical and Deployment Support Notes

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Introduction to Macromedia Dreamweaver MX

Avalanche Site Edition

Consuming, Providing & Publishing WS

How to Integrate IIS with JBoss / Tomcat Under Windows XP and Linux

SchoolBooking SSO Integration Guide

Training Events Database (TED) Setup Guide

Creating While Loops with Microsoft SharePoint Designer Workflows Using Stateful Workflows

Web Development on the SOEN 6011 Server

etoken Enterprise For: SSL SSL with etoken

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

Synchronizer Installation

enter the administrator user name and password for that domain.

Bulk Downloader. Call Recording: Bulk Downloader

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Tool-Assisted Knowledge to HL7 v3 Message Translation (TAMMP) Installation Guide December 23, 2009

Installation Guide for Websphere ND

Quickstart guide to Configuring WebTitan

Snow Active Directory Discovery

Using Cockpit to browse via Google Chrome

Struts Tools Tutorial. Version: M5

Railo Installation on CentOS Linux 6 Best Practices

Installation Guidelines (MySQL database & Archivists Toolkit client)

c360 CRM/SharePoint Integration SharePoint Proxy Component Installation Guide

Background Deployment 3.1 (1003) Installation and Administration Guide

Programming on the Web(CSC309F) Tutorial: Servlets && Tomcat TA:Wael Aboelsaadat

RSM Web Gateway RSM Web Client INSTALLATION AND ADMINISTRATION GUIDE

PCVITA Express Migrator for SharePoint (File System) Table of Contents

Transcription:

Multiple vulnerabilities in Apache Foundation Struts 2 framework Csaba Barta and László Tóth 12. June 2008

Content Content... 2 Summary... 3 Directory traversal vulnerability in static content serving... 3 Double URL decoding vulnerability in findinputstream method... 4 Circumventing the.class filter in findstaticresource method... 6 Impact of the vulnerabilities... 7

Summary We identified three critical vulnerabilities in the Strus 2 framework. According to struts.apache.org: Struts 2 is an extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. (http://struts.apache.org/2.x/) Directory traversal vulnerability in static content serving Remote: Yes Risk: High Vulnerable systems: Struts 2.0.5 and above were tested including 2.1.2 beta version Immune Systems: No other version of Struts was tested If the requested URI starts with the /struts string, the dofilter method of the FilterDispatcher class calls the findstaticresource method, which serves the static content, as shown below: if (servestatic && resourcepath.startswith("/struts")) { String name = resourcepath.substring("/struts".length()); findstaticresource(name, request, response); else { // this is a normal request, let it pass through chain.dofilter(request, response); The first parameter ( name ) of the findstaticresource will contain the URI without the /struts string. If the request is the following (testing the strus2 blank example application which is distributed with struts2): http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts.. The following response is sent by the web server, which is the lib folder of the Apache Tomcat: 3

Figure 1.: The content of the lib directory of Tomcat We tested some application where the served directory was the parent of the WEB-INF folder and we could browse and download files from it. Double URL decoding vulnerability in findinputstream method Remote: Yes Risk: High Vulnerable systems: Struts 2.0.5 and above were tested including 2.1.2 beta version. Immune Systems: No other version of Struts was tested The findinputstream function is responsible for loading the static content from the packages. This function is vulnerable to double URL decoding. The following code snippet shows the vulnerable part in the source code of FilterDispatcher class: protected InputStream findinputstream(string name, String packageprefix) throws IOException { resourcepath = URLDecoder.decode(resourcePath, encoding); return ClassLoaderUtil.getResourceAsStream(resourcePath, getclass()); If the attacker supplies double URL encoded special characters in the URL, the first decoding will be done by web server or application server. The findinputstream will be supplied with the simple URL encoded version of the character then the call to URLDecoder.decode function will result in the special characters decoded. The ClassLoaderUtil.getResourceAsStream function will be supplied with this decoded path. 4

Example: 1. The attacker supplies %252f in the URL 2. After the first decoding done by Tomcat the character will be decoded to %2f 3. After the call to URLDecoder.decode the character will be decoded to / This vulnerability can be exploited by an attacker to circumvent an URL filter or how the web server handles../. Example request: http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f The response sent by the server: Figure 2.: Double URL decoding By supplying further..%252f the attacker can navigate trough the search path configured for the application and find files containing sensitive information (e.g.: application configuration, java classes (see the next section)). Figure 3.: Further navigating through the search path 5

Circumventing the.class filter in findstaticresource method Remote: Yes Risk: High Vulnerable systems: Struts 2.0.5 and above were tested including 2.1.2 beta version Immune Systems: No other version of Struts was tested The findstaticresource method implements a filter that is responsible for preventing the download of java class files. Here is the code snippet from findstaticresource: protected void findstaticresource(string name, HttpServletRequest request, HttpServletResponse response) throws IOException { if (!name.endswith(".class")) { for (String pathprefix : pathprefixes) { InputStream is = findinputstream(name, pathprefix); response.senderror(httpservletresponse.sc_not_found); The filter inspects the URL, and if the requested content s name ends with.class it denies serving it. It is possible to circumvent this filter by adding / to the end of the file name. For example (testing the strus2 blank example application which is distributed with struts2): http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fweb-inf/classess/example/login.class/ The response sent by the server: Figure 4.: Downloading java class file 6

Because of the last / after the.class the upper mentioned condition will be met (the requested content doesn t end with.class it ends with.class/ ), and findinputstream will be called in a loop which will result in the class file served to the client. This security hole can be exploited by taking advantage of the previous vulnerability. Impact of the vulnerabilities A remote attacker may download application configuration files and java classes from the web server running vulnerable version of the framework. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information