Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This is regarding the security flaw in OGNL evaluation is struts.
Can someone give an example how this is exploited?
Imagine I have a request parameter and server returns this back to the client:
http://test/xyz=test
I have a variable named xyz with getter and setter in action class, and in JSP I have:
<s:property value="%{xyz}" />
If someone uses the URL http://test/xyz=@System@exit(0) what happens?
First, the ticket you linked to was fixed in 2007. I don’t know what exactly the problem was back then, but it doesn’t appear to be relevant anymore.
Your JSP page would output the string literal
@System@exit(0).OGNL expressions are processed inside the Struts2 tags. In this case, the string literal
%{xyz}is passed to thesetValue(String)method ofPropertyTag. Inside that tag, that string is evaluated against the value stack to produce the resulting value of@System@exit(0). That value is then output.