Struts2 from the development to now, many Internet enterprises, companies, platforms are using Apache Struts2 system to develop websites, as well as application systems, in recent years because of the use of more, struts2 vulnerabilities mined by attackers are also more and more, From the beginning of S2-001 to the latest S2-057 vulnerability, this paper focuses on introducing the details of strutS2 vulnerability utilization and vulnerability repair methods.

Struts 2.0.0-Struts 2.0.8 is the version affected by S2-001. The vulnerability of the earliest version is too low-level. Apache did not set the security mechanism at that time, resulting in the implementation of recursive query data immediately after submitting parameters. Malicious parameters can be inserted for SQL injection attacks.

The fix for the S2-001 vulnerability is to turn off the default Altsyntax function of Struts2 to use other methods for recursive queries. The reason for turning off Altsyntax is that the tags of this function automatically parse expressions safely. Turning off altsyntax will not parse malicious parameters.

The s2-003 vulnerability did not filter malicious parameters, leading to parameter injection. The version affected is Struts 2.0.0-Struts 2.0.11.2. This version added a new function, namely security interceptor, which conducted keyword security detection in the process of parameter transmission. Some illegal injected parameters can be filtered out, but Apache officially did not filter out the special encoding method for submission, resulting in forged encoding for SQL injection attack. The solution of this vulnerability is to conduct detailed filtering on encoding injection and use regular expression to filter illegal injected parameters.

The cause of S2-005 vulnerability is roughly the same as that of S2-003. It also introduces malicious illegal injection parameters when the parameter values are passed in, which leads to remote code injection execution by ogNL parsing. The fix for this vulnerability is the need to set the Apache system parameter value denyMethodExecution to off, and then upgrade the parameter interception filter system to a more stringent regular expression filter.

The details of s2-007, S2-008 and S2-009 vulnerabilities are that the decmode development mode needs to be enabled. There are injection vulnerabilities in the process of debugging and development codes, and there are even no safety restrictions on single quotation marks, which can be submitted to the background for escape, resulting in escape injection on variables. S2-009 is also a POST parameter injection attack. Different from S2-005 and S2-003 parameter injection, the security value in the parameter is not filtered, so malicious parameters can be inserted for SQL database injection attack. The same official fix was to update its filtering system to strictly enforce regular expressions to filter out any illegal parameters that might lead to injection.

The cause of vulnerability S2-012 is that the default Apache configuration file struts. XML redirects a function setting of the default object, resulting in the remote code execution vulnerability in the process of resolving the expression of the redirects. The security filtering of expression parsing is officially carried out to fix this vulnerability.

The exploit of vulnerability S2-013 is due to the attribute of tag. The expression can be executed in the parameter of tag setting, which will make the parameter of URL value pass the expression. The repair of vulnerability is also easy to delete the attribute of tag. The vulnerability of S2-015 is because any wildcard mapping in the system configuration leads to the remote code execution of OGNL expression twice. First of all, the system does not carry out security detection of whitelist of website URL. When some special symbols such as exclamation mark and percent sign are used, they can be directly submitted. Causing remote execution of malicious code. The fix was a security check on DefaultActionMapper’s classes to filter out illegal injected code.

SINE security company, SINE Security Company, SINE security Company, SINE security Company, SINE security Company, SINE security Company, SINE security Company, SINE security Company

The above are the causes of s2-001 to S2-015 vulnerabilities and the methods to fix them. Due to the space limitation of this article, other versions of Struts2 vulnerabilities will be explained in the next article.