标签 Apache Struts 下的文章

1漏洞描述 看到微步等厂商发了 Struts2 S2-069 的通告

image.png

2漏洞分析 补丁里设置了禁用外部实体解析

image.png

查看该 DomHelper.parse() 方法,直接使用了默认javax.xml.parsers.SAXParserFactory,典型的xxe

Plain Text

复制代码
public static Document parse(InputSource inputSource) {
return parse(inputSource, null);
}
parse(InputSource inputSource, Map<String, String> dtdMappings) {
SAXParserFactory factory = null;
String parserProp = System.getProperty("xwork.saxParserFactory");
if (parserProp != null) {
try {
ObjectFactory objectFactory = ActionContext.getContext().getContainer().getInstance(ObjectFactory.class);
Class clazz = objectFactory.getClassInstance(parserProp);
factory = (SAXParserFactory) clazz.newInstance();
} catch (Exception e) {
LOG.error("Unable to load saxParserFactory set by system property 'xwork.saxParserFactory': {}", parserProp, e);
}
}

if (factory == null) {
factory = SAXParserFactory.newInstance(); // 使用默认 SAXParserFactory
}

factory.setValidating((dtdMappings != null));
factory.setNamespaceAware(true);

SAXParser parser;
try {
parser = factory.newSAXParser();
} catch (Exception ex) {
throw new StrutsException("Unable to create SAX parser", ex);
}
DOMBuilder builder = new DOMBuilder();

// Enhance the sax stream with location information
ContentHandler locationHandler = new LocationAttributes.Pipe(builder);
try {
parser.parse(inputSource, new StartHandler(locationHandler, dtdMappings));
} catch (Exception ex) {
throw new StrutsException(ex);
}
return builder.getDocument();
}

3环境搭建 创建一个XXEActin 调用 com.opensymphony.xwork2.util.DomHelper.parse 解析传入的 xml 即可

4漏洞复现

image.png

5影响范围 struts 框架默认不受影响,com.opensymphony.xwork2.util 只是一个工具类,DomHelper.parse 需要开发者显式调用,因此影响范围较小 6参考链接 https://issues.apache.org/jira/browse/WW-5252 https://github.com/apache/struts/commit/6658c6360e771a793ab261e5b4d3ed9dfb6720d3#diff-fbc632eaf4a09c1feac83796f72802d9e332dbb680473b1c6f3add6ad8946495R105