Description
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Affected products
- apache / Struts2.0.11.2 – 2.0.11.2
- apache / Struts2.0.4 – 2.0.4
- apache / Struts2.0.5 – 2.0.5
- apache / Struts2.0.6 – 2.0.6
- apache / Struts2.0.7 – 2.0.7
- apache / Struts2.0.8 – 2.0.8
- apache / Struts2.0.9 – 2.0.9
- apache / Struts2.0.11 – 2.0.11
- apache / Struts2.0.11.1 – 2.0.11.1
- apache / Struts2.0.0 – 2.0.0
- apache / Struts2.0.2 – 2.0.2
- apache / Struts2.0.3 – 2.0.3
- opensymphony / xwork2.0.1 – 2.0.1
- opensymphony / xwork2.0.2 – 2.0.2
- opensymphony / xwork2.0.3 – 2.0.3
- opensymphony / xwork2.0.4 – 2.0.4
- opensymphony / xwork2.0.5 – 2.0.5
- opensymphony / xwork2.1.0 – 2.1.0
- opensymphony / xwork2.1.1 – 2.1.1
- opensymphony / xwork2.0.0 – 2.0.0
References
- VENDOR_ADVISORYhttp://secunia.com/advisories/32495
- MISChttp://fisheye6.atlassian.com/cru/CR-9/
- MISChttp://struts.apache.org/2.x/docs/s2-003.html
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/46328
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/3003
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/3004
- MISChttp://www.securityfocus.com/bid/32101
- VENDOR_ADVISORYhttp://secunia.com/advisories/32497
- MISChttp://jira.opensymphony.com/browse/XW-641
- MISChttp://issues.apache.org/struts/browse/WW-2692
- MISChttp://osvdb.org/49732