|XWork... - VULHUB开源网络安全威胁库

XWork...

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

BUGTRAQ ID: 32101 CNCAN ID：CNCAN-2008110505 XWork是一款命令模式框架，用于支持Struts 2及其他应用。 XWork存在设计问题，远程攻击者可以利用漏洞绕过安全限制，操作服务端上下文对象。 XWork ParametersInterceptor实现存在安全绕过问题，OGNL是复杂的语言提供大量特性，如使用表达式评估： http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html 可能绕过'#'保护和修改内容中的对象，如设置#session.user设置为'0wn3d'，可使用如下参数名： ('\u0023' + 'session[\'user\']')(unused)=0wn3d 这看起来会形成如下URL编码： ('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d 攻击者可以利用此问题以用户运行的应用程序特权操作服务端的内容上下文，破坏应用程序或对系统进行攻击。 OpenSymphony XWork 2.0.5 OpenSymphony XWork 2.0.4 OpenSymphony XWork 2.0.3 OpenSymphony XWork 2.0.2 OpenSymphony XWork 2.0.1 Apache Software Foundation Struts 2.0.11 .2 Apache Software Foundation Struts 2.0.9 Apache Software Foundation Struts 2.0.8 Apache Software Foundation Struts 2.0.7 Apache Software Foundation Struts 2.0.6 Apache Software Foundation Struts 2.0.5 Apache Software Foundation Struts 2.0.4 Apache Software Foundation Struts 2.0.3 Apache Software Foundation Struts 2.0.2 Apache Software Foundation Struts 2.0.1 Apache Software Foundation Struts 2.0 XWork 2.0.6已经修正此漏洞： Apache Software Foundation Struts 2.0 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.1 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.11 .2 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.2 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.3 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.4 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.5 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.6 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.7 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.8 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a> Apache Software Foundation Struts 2.0.9 Apache Software Foundation struts-2.0.12-all.zip <a href=http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip target=_blank>http://people.apache.org/builds/struts/2.0.12/struts-2.0.12-all.zip</a>

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™

XWork...

漏洞利用/PoC

受影响的平台与产品

贡献用户

相关漏洞清单