概述
item | detail |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | High |
Recommendation | Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.5 |
Affected Software | Struts 2.3.20-2.3.28 |
Reporter | Alvaro Munoz alvaro dot munoz at hpe dot com |
CVE Identifier | CVE-2016-3087 |
分析
S2-032在修复过程中没有覆盖全面,遗漏了对rest
插件中mapping.setName()
方法传入数据的过滤,使系统开启动态方法调用(Dynamic Method Invocation)时,攻击者仍可构造恶意URL并通过rest插件触发命令执行。
rest插件中的问题代码
\struts-2.3.20.1\src\plugins\rest\src\main\java\org\apache\struts2\rest\RestActionMapper.java
line 181
public ActionMapping getMapping(HttpServletRequest request,
ConfigurationManager configManager) {
ActionMapping mapping = new ActionMapping();
String uri = RequestUtils.getUri(request);
...
parseNameAndNamespace(uri, mapping, configManager);
...
// handle "name!method" convention.
handleDynamicMethodInvocation(mapping, mapping.getName());
该函数通过RequestUtils.getUri()
获取url输入,之后调用parseNameAndNamespace(uri, mapping