漏洞类别:CGI
漏洞等级: 
漏洞信息
Apache Struts is an open-source Model-View-Controller (MVC) framework for creating elegant, modern Java web applications.
The vulnerability exists when using result type with no namespace and in same time, its upper action(s) have no or wildcard namespace. An unauthenticated, remote attacker could exploit this vulnerability by not setting the namespace value for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. The vulnerable condition also exists when using url tag which doesnt have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.
Affected software:
Struts 2.x - Struts 2.3.34
Struts 2.5.x - Struts 2.5.16
QID Detection Logic (Unauthenticated):
This QID sends specifically crafted payload in the request to check for command execution in .action, .go,.do,.jsp .xhtml files under common web directories.
QID Detection Logic (Authenticated):
This QID executes ps -ef command and looks for the presence of tomcat process and find the location of struts2-core-x.jar file.
NOTE: For custom applications use QID 371151 which will work for custom locations of tomcat if tomcat server authentication record is provided.
漏洞危害
Successful exploitation allows a remote attacker to execute arbitrary code on a targeted system.
解决方案
Customers are advised to refer to the Apache Struts S2-057 advisory for more information pertaining to this vulnerability.Workaround:
If versions in addition to the ones listed above are detected as vulnerable, customers are advised to:
- Verify if the Struts Convention plugin is enabled.
- Set the alwaysSelectFullNamespace flag is set to FALSE in the Struts configuration.
- Specify the optional namespace attribute in the Struts configuration file.
- Remove the wildcard namespace attribute if specified in the Struts configuration file.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论