Bug 997755 - (CVE-2011-3923) CVE-2011-3923 struts2: Remote code execution via OGNL injention in HTTP parameter values
CVE-2011-3923 struts2: Remote code execution via OGNL injention in HTTP param...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120122,repo...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-16 03:20 EDT by Arun Babu Neelicattu
Modified: 2015-07-31 07:14 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-16 03:21:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Arun Babu Neelicattu 2013-08-16 03:20:38 EDT
Regular expression in ParametersInterceptor matches top['foo'](0) as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.

Affects: 2.0.0 - 2.3.1.1
Fixed in: 2.3.1.2

References:
[1] http://struts.apache.org/development/2.x/docs/s2-009.html
[2] http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html
Comment 1 Arun Babu Neelicattu 2013-08-16 03:21:57 EDT
Statement:

Not Vulnerable. This issue only affects struts 2, it does not affect the versions of struts as shipped with various Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.