CRITICAL
Rule Definition
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
The “Dynamic Method Invocation” (DMI) feature has been intoduced in Struts 2 allowing Action to expose other methods instead of execute()
This feature can lead to security problem because any user of Struts 2 web application can also use DMI to call a public method that is in the Action class.
It's, also, possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
DMI will use the string following a “!” character in an action name as the name of a method to invoke: A reference to Category!create.action, means using the “Category” action mapping, but calling 'create' method instead.
Another way to use DMI is to provide HTTP parameters prefixed with method: in the URL it could be Category.action?method:create=foo, the parameter value is ignored. In POST-Requests that can be used e.g. with a hidden parameter () or along with a button ().
Remediation
Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1.
Violation Code Sample
Consider below jsp code:
<s:form action="calculator_add" >
<s:textfield name="num1" label="Number 1"></s:textfield>
<s:textfield name="num2" label="Number 2"></s:textfield>
<s:submit action="calculator_add" value="Add" />
<s:submit action="calculator_sub" value="Substract" />
</s:form>
Struts configuration:
<package name="calc" extends="struts-default">
<action name="calculatorInput">
<result>/pages/calculator.jsp</result>
</action>
<action name="calculatorResult">
<result>/pages/calculatorResult.jsp</result>
</action>
<action name="calculator_*" method="{1}"
class="com.G2.Actions.CalculatorAction">
<result name="success" type="chain">calculatorResult</result>
</action>
</package>
As you can see, instead of writing different action, action name is provided like “calculator_*”, and method=”{1}”, means if the input is “calculator_add” then the add() method will be executed in Action class. That means we can invoke any methods dynamically other than execute() in action class.
Fixed Code Sample
Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.2, 2.3.24.2 or 2.3.28.1.
Disable DMI using on of following approach
Include this Struts2 property setting in struts.xml:
<constant name="struts.enable.DynamicMethodInvocation" value="false" />
or in struts.properties:
struts.enable.DynamicMethodInvocation = false
or in web.xml, include this init-param node in the Struts 2 filter:
<init-param>
<param-name>struts.enable.DynamicMethodInvocation</param-name>
<param-value>false</param-value>
</init-param>
Reference
https://nvd.nist.gov/vuln/detail/CVE-2016-3081
http://cwe.mitre.org/data/definitions/77.html
http://www.voidcn.com/article/p-rxshpdqc-kh.html
Related Technologies
Technical Criterion
Secure Coding - Weak Security Features
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.