Example analysis of Struts2 framework site risks

1. Overview

An open source project sponsored by the Apache Software Foundation (ASF) is Struts. The project started as a fork of the Jakarta project and was subsequently promoted to a top-level project of the ASF. By using Java Servlet/JSP technology, it implements the application framework [Web Framework] based on the Model-View-Controller [MVC] design pattern of Java EE Web applications. It is a classic product in the MVC classic design pattern.

In the early days of the development of Java EE Web applications, in addition to using Servlet technology, it was generally developed using a mixture of HTML and Java code in the source code of JavaServer Pages (JSP). These two methods are inevitable in mixing performance and business logic code, which brings huge complexity to early development and later maintenance. In order to get rid of the above constraints and limitations and clearly separate the business logic code from the presentation layer, in 2000, Craig McClanahan adopted the MVC design pattern to develop Struts. This framework product was once regarded as the most extensive and popular JAVA WEB application framework

Struts2 is a Web application framework based on the MVC design pattern. It is essentially equivalent to a servlet. In the MVC design pattern, Struts2 serves as a controller to establish data interaction between the model and the view. Struts 2 is the next generation product of Struts. It is a new Struts 2 framework that merges the technologies of struts 1 and WebWork

2. Vulnerability inventory

2.1. Vulnerability history

With the popularity of the Struts2 framework, more and more enterprise units are using the Struts2 framework for development. High-risk vulnerabilities have been exposed many times in recent years. Many government sites, banks, large Internet companies and other units have been affected, such as : In December 2016, Jingdong 12G user data was leaked, including usernames, passwords, emails, QQ numbers, phone numbers, ID cards and other dimensions. The data amounted to tens of millions of pieces. The reason originated from 2013 Security vulnerabilities in Struts 2. At that time, almost all Internet companies and a large number of banks and government agencies in the country were affected, resulting in a large number of data leaks. Every time a vulnerability broke out in struts2, major Internet vulnerability platforms also received multiple feedbacks such as:

#The code execution problem of Struts2 dates back to 2010, when Meder Kydyraliev from the Google Security Team discovered that the parameter interceptor could be bypassed by using unicde encoding for special characters. The filtering of "#" caused code execution problems. The official vulnerability number was S2-003,

Looking back at the struts2 vulnerability history, we found that the official was not to blame. First of all, developers did not have strong security awareness. Although they took measures Basic security measures, but in name only. Secondly, we feel that the official repair measures lack strength and seem to be only perfunctory, without truly solving the root cause of the problem. Furthermore, the official openness spirit is really shocking. They even directly posted the PoC of the vulnerability on the official website. This gave many people the opportunity to further study the exploitation of the vulnerability. This is also one of the reasons why the problem is more serious.

2.2. Struts2 vulnerability inventory

Struts2 vulnerabilities that have a relatively large impact and are widely exploited:

CVE-2010-1870XWork ParameterInterceptors bypass allows OGNLstatement execution

CVE-2012-0392struts2 DevMod Remote Command Execution Vulnerability

CVE-2011-3923Struts

CVE-2013-1966Struts2

CVE-2013-2251Struts2

Struts2

Struts2

CNVD-2016-02506, CVE-2016-3081, affected versions Struts 2.3.20 - StrutsStruts 2.3.28 (2.3 .20.3 and 2.3.24.3 except)

CVE number: CVE-2016-4438 Struts (S2-037) remote code execution vulnerability, affected version: Struts 2.3.20 - Struts Struts 2.3.28.1

CVE-2017-5638 Affected versions: Struts 2.3.5 – Struts 2.3.31

Struts 2.5 –Struts 2.5.10

For other details, please refer to the struts2 official website Vulnerability history:

https://cwiki.apache.org/confluence/display/WW/Security Bulletins

3 . Distribution

In view of the Struts2 framework with frequent vulnerabilities, we conducted a survey and statistics on the distribution of the Struts framework in the province. By fingerprinting the sites of individual cities, we mapped out the use of the Strust2 framework in various cities in the province. The distribution chart is as follows:

## Combining big data analysis and keyword identification, we analyzed the collected industry conditions where the Strust2 site is used, and drew The following chart:

Specific table data:

1 Government Department 447 28.29% ##2 3 4 5 6 7 8 9 10 #As can be seen from the above figure, the top three (note: excluding other companies) are government departments (accounting for 28.29%) and Internet companies (25.18%) , Educational institutions (9.8%)

##Serial number	Industry type	Quantity	Percentage
Educational Institution	155	9.80%
Financial Industry	110	6.96%
Insurance Industry	28	1.77%
Securities Industry	14	0.88%
Energy Industry	8	0.50%
Transportation Industry	93	5.88%
Telecom operator	114	7.21%
Internet enterprise	398	25.18%
Other companies	213	13.48 %

We conduct vulnerability detection on the collected sites using Struts2 middleware. This time, we use several high-risk vulnerabilities that have a relatively large impact on the Internet to verify and detect vulnerabilities (S2-045, S2-037, S2-032, S2-016). After testing 1580 site samples, it was found that there are still some sites where Struts2 vulnerabilities have not been repaired. The statistics of the sites with detected vulnerabilities are as follows:

## Serial numberIndustryNumber of vulnerabilities1Government Department32 Educational institutions2Financial industryInternet EnterpriseOthers During the detection, we found that many websites had old vulnerabilities before Stuts2 that had not been repaired. Therefore, among the Stuts2 vulnerabilities, registered users of the website were nakedly exposed to hacker attacks. 4. Security Suggestions

		##3
1		4
2		5
2

As the situation becomes increasingly complex, information security has become an issue that involves more than just technology. The development of science and technology is a double-edged sword. It can benefit mankind, but it can also have destructive effects. And this point, in addition to the technology itself, may be more grasped from the level of our consciousness. Faced with the huge impact of vulnerabilities, it is enough to alert information security practitioners in the Internet industry: a wake-up call for information security. , should be kept ringing all the time.

1. We should develop good development habits in information system development. Most loopholes exist from the development stage. Due to negligence during the development process, logical loopholes, etc. will also bring great harm to the system. Security Risk.

2. Back up the website data in a timely manner. When the system is attacked, the attacked system can be restored as soon as possible.

3. Install anti-virus software on the background service, conduct virus scans on the server regularly, and wait for security checks.

4. Pay attention to the latest Internet vulnerabilities in real time and repair the vulnerabilities in the information system in a timely manner.

5. Regularly conduct penetration testing, vulnerability testing and other work on the system to promptly discover problems and repair them in a timely manner to prevent vulnerabilities from being exposed on the Internet.

6. Take systems that are no longer in use offline in a timely manner. Generally, there are more security issues in old systems, and poor management may leak a large amount of sensitive information.

The above is the detailed content of Example analysis of Struts2 framework site risks. For more information, please follow other related articles on the PHP Chinese website!