Hi Anurag,
I hope it's not too late but I have some comments.
Today we updated to Struts2.3.32 to fix security issue S2-045.
After that, similar to your problem, we lost following OGNL evaluation
to null in our JSPs :(
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}"
After much time, I've fixed that as below which you may like :)
1. Extending StrutsPrepareAndExecuteFilter
package utils;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts2.StrutsStatics;
import org.apache.struts2.dispatcher.StrutsRequestWrapper;
import
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter;
import com.opensymphony.xwork2.ActionContext;
/**
* @author Yasser Zamani
*
*/
public class MYStrutsPrepareAndExecuteFilter extends
StrutsPrepareAndExecuteFilter {
private MYOgnlUtils myOgnlUtils = new MYOgnlUtils();
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain)
throws IOException, ServletException {
req.setAttribute("my.ognl_utils", myOgnlUtils);
try {
super.doFilter(req, res, chain);
} finally {
req.removeAttribute("my.ognl_utils");
}
}
public class MYOgnlUtils {
public String getRequestURI() {
StrutsRequestWrapper srw = ((StrutsRequestWrapper)
ActionContext.getContext()
.get(StrutsStatics.HTTP_REQUEST));
return srw.getRequestURI();
}
}
}
2. web.xml
<filter>
<filter-name>struts2</filter-name>
<filter-class>utils.MYStrutsPrepareAndExecuteFilter</filter-class>
</filter>
3. JSPs
"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].getAttribute('taam.ognl_utils').requestURI}"
**You may implement in similar way without excluding generic object.**
Good Luck,
Yasser.
On 2/1/2017 3:46 AM, Yasser Zamani wrote:
> Yes I think. https://www.exploit-db.com/exploits/33142/ says there will
> be a remote command execution vulnerability. You may try that exploit
> and see for any results on your
> server.<https://www.exploit-db.com/exploits/33142/>
>
> Apache Struts - ClassLoader Manipulation Remote Code ...
> <https://www.exploit-db.com/exploits/33142/>
> www.exploit-db.com
> Apache Struts - ClassLoader Manipulation Remote Code Execution
> (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit
> for Multiple platform....
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Anurag kumar <[email protected]>
> *Sent:* Tuesday, January 31, 2017 6:53 PM
> *To:* [email protected]
> *Subject:* Struts 2.3.31 is excluding generic object.
>
> Hi,
>
> My Action class returns generic object and It was working fine with
> struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding
> generic object.
> I found <constant name="struts.excludedClasses"> constant in
> struts-default.xml while searching. Here java.lang.Object is excluded.
> My concern is if I am overriding this constant in my struts.xml file
> after removing java.lang.Object .Will it have a huge impact on security?
>
>
> Thanks
> Anurag
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
