This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Insecure Web Components Project/Struts2

From OWASP
Revision as of 19:22, 9 September 2014 by Benjamin Watson (talk | contribs) (CookieInterceptor (S2-022))

Jump to: navigation, search

CookieInterceptor (S2-022)

Overview

The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() did not cover other cases, allowing the state manipulation of session, request, when " * " is used to configure cookiesName param.

The CookieInterceptor is used to set values in the OGNL stack and action based on the cookie name and value. If an asterisk is present in cookiesName parameter, it will be assumed that all cookie name are to be injected into the OGNL stack and corresponding action. This applies to 'cookiesValue' as well.

Example: 

    
    <action>   
         <interceptor-ref name="cookie">      
               <param name="cookiesName">cookie1, cookie2</param>     
               <param name="cookiesValue">*</param>   
         <interceptor-ref>
    </action>

Tampering with Struts2 Session Data

This was reported here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 - and has been fixed since Struts 2.3.4. Yet conceptually this plays into understanding the full issue at hand.

If an action implements the interfaces Action or SessionAware it allows the auto-binding of data to the current session or request using the common implementation:

Based on this post: http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html - This allows manipulation such as: ?session.key=value. If an object has a setValue(String) method and is stored within the session using the key "data"; if one passed the following query string parameter "?session.data.value=authorized"; this would lead to the setting of that value.

CVE-2014-0116

What was done to fix CVE02014-0094 was not fully implemented for values such as session or request. Please reference: http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/ - for the original analysis.

With building an example vulnerable application, it is possible to modify session values in the same way above, i.e. "session.user.role=admin", which when implementing SessionAware, sets the new value on the OGNL stack, and in the action.

Remediation

In Struts 2.3.16.3 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe. (S2-022)


References:

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Insecure_Web_Components_Project/Struts2&oldid=182057"