lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 May 2011 15:40:53 -0600
Subject: Apache Struts 2, XWork, OpenSymphony WebWork Java Class Path
 Information Disclosure

Security Advisory: MVSA-11-007 (

CVE: CVE-2011-2088

Vendors: Apache Software Foundation, OpenSymphony

Products: Struts 2, XWork , WebWork 

Vulnerabilities: Java Class Path Information Disclosure

Risk: Medium

Attack Vector: From Remote

Authentication: Not Required



XWork before version 2.2.1 allows Java class path disclosure when non-existent method is requested

    * using <s:submit> tag with and Dynamic Method Invocation (DMI) enabled.
    * using bang notation (actionclass!method.action) with Dynamic Method Invocation (DMI) enabled

Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar attacks. 

1. Using <s:submit> tag with Dynamic Method Invocation (DMI) enabled.

a. Test case for Struts 2.2.1 with XWork 2.2.1!login:cantLogin_1=some_value

    XWork generated error:


2. Using bang notation actionclass!method.action with Dynamic Method Invocation (DMI) enabled

a. Test case for Struts 2.2.1 with XWork 2.2.1!input1.action

    XWork generated error:


b. Test case for Struts 2.0.6 with XWork 2.0.1!input1.action

    XWork generated error:

        java.lang.NoSuchMethodException: org.apache.struts2.showcase.token.TokenAction.input1()

Affected Versions

Multiple releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable to this vulnerability.

Other open source and commercial products using XWork framework could be vulnerable to similar attacks. 

WebWork framework released by OpenSymphony ( was confirmed as vulnerable to the second attack described in this advisory.

It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May 2011, or to the latest available version.

Alternatively, it is recommended to implement a custom error page (eg. error_page.jsp) which either uses proper output encoding to display XWork generated errors or displays a generic error message. An example of Struts configuration (required in struts.xml file) is shown below:

  <result name="error">/error_page.jsp</result>
  <exception-mapping exception="java.lang.Exception" result="error"/>

Disclosure Timeline

2011, February 18: Vulnerabilities discovered and documented
2011, February 18: First notification sent to Apache
2011, February 21: Second notification sent to Apache
2011, February 22: WW-3579 JIRA ticket created
2011, February 22: Apache acknowledges receiving the report
2011, February 22: Apache acknowledges the vulnerabilities
2011, March 27: Apache Struts 2.2.2 test build released
2011, April 8: Apache Struts 2.2.3 test build released
2011, May 5: Apache Struts 2.2.3 general availability build released
2011, May 18:  MVSA-11-007 advisory published.

Dr. Marian Ventuneac

Powered by blists - more mailing lists