MVSA-11-007


CVE:


CVE-2011-2088
Vendors:
Apache Software Foundation
OpenSymphony
Products:
Struts 2 Framework
XWork Framework
WebWork Framework
Vulnerabilities:
Java Class Path Information Disclosure
Risk:
Medium
Attack Vector:
From Remote
Authentication:
References:

Not Required
http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
https://issues.apache.org/jira/browse/WW-3579


Description

XWork before and including version 2.2.3 allows Java class path disclosure when non-existent method is requested
  • using <s:submit> tag with and Dynamic Method Invocation (DMI) enabled.
  • using bang notation (actionclass!method.action) with Dynamic Method Invocation (DMI) enabled
Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar attacks. 

1.
Using <s:submit> tag using bash syntax with Dynamic Method Invocation (DMI) enabled.

a. Test case for Struts 2.2.1 with XWork 2.2.1

        http://test.app.net/home.action?user=&password=&action!login:cantLogin_1=some_value

    XWork generated error:

        some_path.action.LoginAction.cantLogin_1()


2.
Using bang notation (actionclass!method.action) with Dynamic Method Invocation (DMI) enabled

a. Test case for Struts 2.2.1 with XWork 2.2.1

        http://127.0.0.1:8088/struts2-showcase/token/tokenPrepare2!input1.action

    XWork generated error:

        org.apache.struts2.showcase.token.TokenAction.input1()

b. Test case for Struts 2.0.6 with XWork 2.0.1

        http://127.0.0.1:8088/struts2-showcase-2.0.6/token/tokenPrepare2!input1.action

    XWork generated error:

        java.lang.NoSuchMethodException: org.apache.struts2.showcase.token.TokenAction.input1()


Affected Versions

Multiple releases of Apache Struts 2 framework prior and including version 2.2.3  were found vulnerable to this vulnerability.

Other open source and commercial products using XWork framework could be vulnerable to similar attacks. 

WebWork framework released by OpenSymphony (http://opensymphony.org) was confirmed as vulnerable to the second attack described in this advisory.


Mitigation

    
Regardless of the version of Apache Struts 2 being used, it is recommended to implement a custom error page (eg. error_page.jsp) which displays a generic error message instead of XWork generated errors. An example of required configuration in struts.xml file is shown below:


<global-results>
  <result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
  <exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>


A similar approach on displaying a custom error page is recommended for applications using OpenSymphony WebWork.

Disclosure Timeline

2011, February 18: Vulnerabilities discovered and documented
2011, February 18: First notification sent to Apache
2011, February 21: Second notification sent to Apache
2011, February 22: WW-3579 JIRA ticket created
2011, February 22: Apache acknowledges receiving the report
2011, February 22: Apache acknowledges the vulnerabilities
2011, March 27: Apache Struts 2.2.2 test build released
2011, April 8: Apache Struts 2.2.3 test build released
2011, May 5: Apache Struts 2.2.3 general availability build released
2011, May 18:  MVSA-11-007 advisory published.


MVSA-11-007
Dr. Marian Ventuneac