Posts

Showing posts from May, 2022

2nd RCE and XSS in Apache Struts before 2.5.30

Image
2nd RCE and XSS in Apache Struts 2.5.0 - 2.5.29 Abstract In early April 2021 I disclosed a 0day on Apache Struts 2.5.0-2.5.29  here  after responsibly disclosing it and eventually getting permission from Apache Struts. However, I decided to keep digging and found a second, new RCE caused by double OGNL evaluation via a different vector which I'll be describing here.  If you want to know more about Apache Struts RCEs via OGNL evaluations I highly recommend checking out the work by Man Yue Mo and Alvaro Munoz. You can find it here: https:// securitylab.github.com/research/apach e-struts-double-evaluation/ … https:// securitylab.github.com/advisories/GHS L Vulnerability Analysis OGNL evaluations are exploitable when OGNL code is evaluated twice. This is often done when the "findString" or "findValue" function are called consecutively inside an object like Component or UIBean object. In order to find these issues you typically search through java files to find where...