Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of the risk of the Struts2 framework site. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Overview

Struts is an open source project sponsored by the Apache Software Foundation (ASF). It started as a sub-project of the Jakarta project and later became the top-level project of ASF. By using Java Servlet/JSP technology, it realizes the application framework (Web Framework) of Model-View-Controller (MVC) design pattern based on Java EE Web application, and is a classic product of MVC classical design pattern.

In the initial stage of the development of Web application of Java EE, in addition to using Servlet technology, it is common to use the mixed mode of HTML and Java code in the source code of JavaServer Pages (JSP). Because these two ways inevitably mix the performance with the business logic code, which brings huge complexity to the pre-development and post-maintenance. In order to get rid of the above constraints and limitations and clearly separate the business logic code from the presentation layer, in 2000, Craig McClanahan adopted the design pattern of MVC to develop Struts. Later, the framework product was once considered to be the most extensive and popular WEB application framework for JAVA.

Struts2 is a Web application framework based on MVC design pattern, which is essentially equivalent to a servlet. In the MVC design pattern, Struts2 acts as a Controller to establish the data interaction between the model and the view. Struts 2 is the next generation product of Struts, which is a new Struts 2 framework merged on the basis of struts 1 and WebWork technology.

two。 Vulnerability inventory 2.1. History of vulnerabilities

With the popularity of Struts2 framework, more and more enterprises use Struts2 framework for development. In recent years, high-risk loopholes have been exposed many times. Many government sites, banks, large Internet companies and other units have been affected. For example, JD.com 12G user data leaked in December 2016, including user name, password, mailbox, QQ number, phone number, ID card and other dimensions, with tens of millions of data. This is due to a security breach in Struts 2 in 2013. At that time, almost all domestic Internet companies and a large number of banks and government agencies were affected, resulting in a large number of data leaks, and after each struts2 leak, major Internet vulnerability platforms also received a number of feedback, such as:

Struts2's code execution problem dates back to 2010, when Meder Kydyraliev from Google Security Team found that it could bypass the filtering of the special character "#" by parameter interceptor in the form of unicde encoding, resulting in code execution problems, official vulnerability number S2-003.

Looking back at the history of struts2 vulnerabilities, we find that officials are to blame. First of all, developers are not very security-conscious, and although basic security measures have been taken, they are nonexistent. Second, the official repair is not strong enough, which always feels like we are perfunctory and fail to solve the problem fundamentally. In addition, the official spirit of openness is really shocking that the PoC of the loophole is directly posted on the official website, which gives many people the opportunity to further study the exploitation of the loophole, which is also a reason for the problem to become more serious.

2.2. Struts2 vulnerability inventory

The impact is relatively large, taking advantage of a wide range of struts2 vulnerabilities:

CVE-2010-1870XWork ParameterInterceptors bypass allows OGNLstatement execution

CVE-2012-0392struts2 DevMod Remote Command Execution Vulnerability

CVE-2011-3923Struts

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.