Apache Struts2 is a popular open-source framework for Java EE web applications, utilizing the MVC architecture. The S2-066 vulnerability is a path traversal flaw in its file upload functionality. Attackers can bypass the basename protection by capitalizing the first letter of the form field name (e.g., 'Upload' instead of 'upload') and providing a separate field with a path traversal payload (e.g., '../shell.jsp'). This allows files to be uploaded outside the intended directory. The vulnerability affects Struts2 2.5.32. Proof-of-concept involves uploading a JSP file to a restricted directory, then using the exploit to upload it elsewhere for execution.
Apache Struts2 is a popular open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API and encourages developers to adopt the Model-View-Controller (MVC) architecture. The framework provides developers with a rich set of tags and utilities for building enterprise-grade web applications that are easy to maintain and extend.
Apache Struts2 S2-066 is a path traversal vulnerability that exists in the file upload functionality. An attacker can manipulate the casing of form field names to upload files to locations outside the intended upload directory.
During Struts2's file upload processing, the framework normally retains only the basename of the uploaded file to prevent path traversal. However, due to a logic flaw in the handling process, an attacker can bypass this protection in the following way:
Use a form field name with an initial uppercase letter (e.g., "Upload" instead of "upload")
Provide a separate form field containing the target path traversal filename
This allows the unsanitized filename to override the basename protection, ultimately resulting in a successful path traversal.
S2-066 File Upload Path Traversal Vulnerability (CVE-2023-50164)
Apache Struts2 is a popular open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API and encourages developers to adopt the Model-View-Controller (MVC) architecture. The framework provides developers with a rich set of tags and utilities for building enterprise-grade web applications that are easy to maintain and extend.
Apache Struts2 S2-066 is a path traversal vulnerability that exists in the file upload functionality. An attacker can manipulate the casing of form field names to upload files to locations outside the intended upload directory.
During Struts2's file upload processing, the framework normally retains only the basename of the uploaded file to prevent path traversal. However, due to a logic flaw in the handling process, an attacker can bypass this protection in the following way:
This allows the unsanitized filename to override the basename protection, ultimately resulting in a successful path traversal.
References:
Environment Setup
Run the following command to start a web server built with Struts2 2.5.32:
Once the environment is up, visit http://your-ip:8080 to see the application page, which is a simple file upload page.
Vulnerability Reproduction
First, try uploading a JSP file to the normal upload directory:
Although the file uploads successfully, the JSP code cannot be executed inside the upload directory upload/ due to the server configuration:
Use the following request to exploit the S2-066 vulnerability and upload the file outside the upload directory:
Pay attention to these key elements during exploitation:
The JSP file is now uploaded outside the restricted upload directory and can be executed:
You can now access the webshell by visiting http://your-ip:8080/shell.jsp.