您的位置:首页 > 编程语言 > Java开发

struts2漏洞说明,以及升级到2.3.15.1详细步骤

2013-09-02 11:57 471 查看
1.Jar包变动

删除jar包                   ===》  新增Jar包

asm.jar                     ===》 asm-3.3.jar

asm-attrs.jar               ===》 asm-attrs-2.2.3.jar

cglib-2.1.jar               ===》 cglib-nodep-2.2.2.jar

commons-beanutils.jar         ===》 commons-beanutils-1.8.0.jar

commons-fileupload-1.1.1.jar  ===》 commons-fileupload-1.3.jar

commons-io-1.3.2.jar          ===》 commons-io-2.0.1.jar

commons-lang.jar            ===》 commons-lang-2.4.jar

commons-logging-1.0.4.jar   ===》 commons-logging-1.1.3.jar

commons-logging-1.1.jar     ===》 

ognl-3.0.1.jar              ===》 ognl-3.0.6.jar

struts2-core-2.2.3.jar      ===》 struts2-core-2.3.15.1.jar

struts2-json-plugin-2.2.3.jar ===》 struts2-json-plugin-2.3.15.1.jar

wsdl4j-1.5.1.jar            ===》 wsdl4j-1.6.2.jar

wsdl4j-1.6.1.jar            ===》 

xwork-core-2.2.3.jar        ===》 xwork-core-2.3.15.1.jar

新引入包   ===》 asm-commons-3.3.jar

新引入包   ===》 c3p0-0.9.1.2.jar

新引入包   ===》 commons-lang3-3.1.jar

新引入包   ===》 jms-1.1.jar

新引入包   ===》 struts2-convention-plugin-2.3.15.1.jar
新引入包   ===》 struts2-spring-plugin-2.3.15.1.jar

2.相关错误信息提示及修复

2.0设置devMode为false

2.1ActionContextCleanUp <<< is deprecated! Please use the new filters警告

***************************************************************************
*                                 WARNING!!!        
* >>> ActionContextCleanUp <<< is deprecated! Please use the new filters!                                                                
*             This can be a source of unpredictable problems!    
*                Please refer to the docs for more details!          
*              http://struts.apache.org/2.x/docs/webxml.html         
************************************************************************** 

修改web.Xml中*.FilterDispatcher为*.ng.filter.StrutsPrepareAndExecuteFilter
FilterDispatcher是struts2.0.x到2.1.2版本的核心过滤器.
StrutsPrepareAndExecuteFilter是自2.1.3开始就替代了FilterDispatcher的.
StrutsPrepareAndExecuteFilter是StrutsPrepareFilter和StrutsExecuteFilter的组合

注释代码

<filter>
<filter-name>struts-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-cleanup</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
<!--<init-param>
<param-name>actionPackages</param-name>
<param-value>cn.xkshow.demo.action</param-value>
</init-param>-->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.shtml</url-pattern>
<!--<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher> -->
</filter-mapping>
替换注释代码为:
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
<!-- <init-param></init-param> -->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>

      


附录:Struts2再爆远程代码执行漏洞
Struts又爆远程代码执行漏洞!在这次的漏洞中,攻击者可以通过操纵参数远程执行恶意代码。Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction没有正确过滤,导致ognl代码执行。
描述
影响版本	 Struts 2.0.0 - Struts 2.3.15
报告者	 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号      CVE-2013-2251

漏洞证明
参数会以OGNL表达式执行
http://host/struts2-blank/example/X.action?action:%25{3*4}
 http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}[/code] 代码执行
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
 http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}  http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

 
漏洞原理
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression.
This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against
the value stack, this introduces the possibility to inject server side code.
                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航