Re: OGNL expressions in headers and parameters
Hi Thomás, aren't you testing old voulnerable version? If so, try the new one. -- Pozdrawiam, Paweł Wielgus. tel: +48 604 603 546 2017-03-13 10:54 GMT+01:00 Tamás Barta: > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list because it seems to me that these OGNL > expressions are evaluated before my code is executed and I wonder if it can > be disabled anyhow. > Can I turn off these auto-evaluated thinks if I don't need them at all? You > wrote that it is my code which initiates this, but I don't think so. > > On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart > wrote: > >> 2017-03-13 10:43 GMT+01:00 Tamás Barta : >> > Interesting, I don't do such things. I write down the stack trace from >> > where it is executed (in 2.5.2). >> > This is the interesting part, there is no my code there. >> > >> > StrutsPrepareAndExecuteFilter:100 // boolean >> handled >> > = execute.executeStaticResourceRequest(request, response); >> > -> >> > ExecuteOperations:59 >> > // StaticContentLoader staticResourceLoader = >> > dispatcher.getContainer().getInstance(StaticContentLoader.class); >> > -> >> > Dispatcher:897 // >> > Configuration config = mgr.getConfiguration(); >> > -> >> > ConfigurationManager:73 >> > // conditionalReload(); >> > -> >> > OgnlValueStackFactory:64 >> > // container.inject(stack); >> > ... >> > >> > I tried this test script and put breakpoint in >> > OgnlUtil.getExcludedClasses(): >> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt >> >> but this is a vulnerability, a bug which was already fixed. We also >> are developers that make mistakes. >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 http://www.lenart.org.pl/ >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: OGNL expressions in headers and parameters
2017-03-13 10:54 GMT+01:00 Tamás Barta: > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list because it seems to me that these OGNL > expressions are evaluated before my code is executed and I wonder if it can > be disabled anyhow. > Can I turn off these auto-evaluated thinks if I don't need them at all? You > wrote that it is my code which initiates this, but I don't think so. Not sure what do you mean by the "auto-evaluated" - each expression to be evaluated must be passed to an interpreter first (e.g. OGNL) so there is no such thing like auto-evaluation of everything. OGNL is used to convert incoming params and apply them onto your actions (request param as a String -> OGNL -> an Object of given type). You can pass an expression via such param e.g. %{'a' + 'b'} and it won't be evaluated, it will be applied literally as a String. The problem is when someone takes value of such param and passes it to evaluator e.g. getText("%{'a' + 'b'}", "%{'a' + 'b'}") - then the evaluation happens - but this a developer mistake not "auto-evaluation". Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: OGNL expressions in headers and parameters
Lukasz, I don't write it to blame you. I very appreciate your work. I just write to this list because it seems to me that these OGNL expressions are evaluated before my code is executed and I wonder if it can be disabled anyhow. Can I turn off these auto-evaluated thinks if I don't need them at all? You wrote that it is my code which initiates this, but I don't think so. On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenartwrote: > 2017-03-13 10:43 GMT+01:00 Tamás Barta : > > Interesting, I don't do such things. I write down the stack trace from > > where it is executed (in 2.5.2). > > This is the interesting part, there is no my code there. > > > > StrutsPrepareAndExecuteFilter:100 // boolean > handled > > = execute.executeStaticResourceRequest(request, response); > > -> > > ExecuteOperations:59 > > // StaticContentLoader staticResourceLoader = > > dispatcher.getContainer().getInstance(StaticContentLoader.class); > > -> > > Dispatcher:897 // > > Configuration config = mgr.getConfiguration(); > > -> > > ConfigurationManager:73 > > // conditionalReload(); > > -> > > OgnlValueStackFactory:64 > > // container.inject(stack); > > ... > > > > I tried this test script and put breakpoint in > > OgnlUtil.getExcludedClasses(): > > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt > > but this is a vulnerability, a bug which was already fixed. We also > are developers that make mistakes. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: OGNL expressions in headers and parameters
2017-03-13 10:43 GMT+01:00 Tamás Barta: > Interesting, I don't do such things. I write down the stack trace from > where it is executed (in 2.5.2). > This is the interesting part, there is no my code there. > > StrutsPrepareAndExecuteFilter:100 // boolean handled > = execute.executeStaticResourceRequest(request, response); > -> > ExecuteOperations:59 > // StaticContentLoader staticResourceLoader = > dispatcher.getContainer().getInstance(StaticContentLoader.class); > -> > Dispatcher:897 // > Configuration config = mgr.getConfiguration(); > -> > ConfigurationManager:73 > // conditionalReload(); > -> > OgnlValueStackFactory:64 > // container.inject(stack); > ... > > I tried this test script and put breakpoint in > OgnlUtil.getExcludedClasses(): > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt but this is a vulnerability, a bug which was already fixed. We also are developers that make mistakes. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: OGNL expressions in headers and parameters
Interesting, I don't do such things. I write down the stack trace from where it is executed (in 2.5.2). This is the interesting part, there is no my code there. StrutsPrepareAndExecuteFilter:100 // boolean handled = execute.executeStaticResourceRequest(request, response); -> ExecuteOperations:59 // StaticContentLoader staticResourceLoader = dispatcher.getContainer().getInstance(StaticContentLoader.class); -> Dispatcher:897 // Configuration config = mgr.getConfiguration(); -> ConfigurationManager:73 // conditionalReload(); -> OgnlValueStackFactory:64 // container.inject(stack); ... I tried this test script and put breakpoint in OgnlUtil.getExcludedClasses(): https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt On Mon, Mar 13, 2017 at 10:11 AM, Lukasz Lenartwrote: > 2017-03-13 9:50 GMT+01:00 Tamás Barta : > > I mean I never want a http header or parameter be handled as OGNL > > expression and got evaluated. I would like it to be retrieved as it is. > For > > security purpose. > > As I said, Struts doesn't evaluate incoming params as OGNL > expressions, but when you use such param in a JSP, it will be > evaluated. > > > > The same can happen in ActionSupport#getText() but this is out of > Struts control. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: OGNL expressions in headers and parameters
2017-03-13 9:50 GMT+01:00 Tamás Barta: > I mean I never want a http header or parameter be handled as OGNL > expression and got evaluated. I would like it to be retrieved as it is. For > security purpose. As I said, Struts doesn't evaluate incoming params as OGNL expressions, but when you use such param in a JSP, it will be evaluated. The same can happen in ActionSupport#getText() but this is out of Struts control. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: OGNL expressions in headers and parameters
I mean I never want a http header or parameter be handled as OGNL expression and got evaluated. I would like it to be retrieved as it is. For security purpose. On Mon, Mar 13, 2017 at 9:44 AM, Lukasz Lenartwrote: > 2017-03-13 9:41 GMT+01:00 Tamás Barta : > > Hi, > > > > Is there any way to disable evaluating OGNL expressions in HTTP headers > and > > request parameters? > > There is no direct evaluation of request parameters nor headers. The > problem is that those values are often used by developers in JSPs or > in some other places and then the evaluation happens. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: OGNL expressions in headers and parameters
2017-03-13 9:41 GMT+01:00 Tamás Barta: > Hi, > > Is there any way to disable evaluating OGNL expressions in HTTP headers and > request parameters? There is no direct evaluation of request parameters nor headers. The problem is that those values are often used by developers in JSPs or in some other places and then the evaluation happens. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org