High-risk OA vulnerability Repair Process

High-risk OA vulnerability Repair Process

On the 21st, the Deputy Director of the Information Security Department sent an email about the major security risks of OA. One was the issue of unauthorized access, and the other was the struts version, the Problem description and solution and implementation process are summarized as follows:

Unauthorized Access Vulnerability

Risk Level: High Risk

Problem type: program vulnerabilities

Problem description:

Because the file query module of the OA system does not fully verify the permissions of the queryer, attackers can exploit this vulnerability to traverse the personal information of all employees in the query module by modifying the employee ID. (Note: the value of the editStaffInfoByCode parameter is the employee ID)

Vulnerability address:

Curl 'https: // oa. *******. com/dependence/queryStaffinfoByStaffId. action '-H' Cookie: Hm_lvt_0f350e5390b92578122a09670da4e18a = 1444457881; JSESSIONID = 17F532AA5A02473F18BFC2251D9EB4CD. s39; hm_lvt_f5rjc6793d40d199f68042b8a63e725 = 1444382434,1444640491, 1445232940; expires = 1445234011 '-H' Origin: https: // oa. *******. com '-H' Accept-Encoding: gzip, deflate'-H' Accept-Language: Zh-CN, zh; q = 0.8 '-H' User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) chrome/46.0.2490.71 Safari/537.36 '-H' Content-Type: application/json; charset = UTF-8 '-H' Accept: application/json, text/javascript ,*/*; q = 0.01 '-H' Referer: https: // oa. *******. com/dependence/staffInfoAdd. action? EditStaffInfoByCode = FX006635 & command = detail & selfstaffinfo = showFiled '-H' X-Requested-With: XMLHttpRequest'-H' Connection: keep-alive '-- data-binary' {"staffinfoVo": {"staffinfoEntity": {"staffId": "FX006635" }}' -- compressed

Solution:

1. Modify the website code and add the permission verification function. Users can be divided into user groups. permissions can be divided based on the user group and access to users is strictly restricted;

2. Reuse the management scope and data permission functions (the mybatis interceptor intercepts and processes queries) to control data queries within the management scope;

3. The front-end does not pass parameters to the backend. The employee ID used for query directly pulls the employee ID of the current user from the redis server at the backend;

4. The parameters passed by the front-end do not use the employee ID, but use the uuid proxy primary key of the file to prevent attackers from using forged data traversal;

Struts2 Command Execution Vulnerability

Risk Level: High Risk

Problem type: program vulnerabilities

Problem description:

A remote code execution vulnerability exists in the lower version of The struts2 framework used by the OA system. Attackers can exploit this vulnerability to remotely execute commands, upload script backdoor files, and perform other operations to directly obtain server permissions.

Vulnerability address:

Https: // oa. *******. com/main/index. action? Redirect: $ {% 23a % 3d (new % 20java. lang. processBuilder (new % 20java. lang. string [] {% 27cat % 27, % 27/etc/passwd % 27 })). start (), % 23b % 3d % 23a. getInputStream (), % 23c % 3 dnew % 20java. io. inputStreamReader (% 23b), % 23d % 3 dnew % 20java. io. bufferedReader (% 23c), % 23e % 3 dnew % 20 char [50000], % 23d. read (% 23e), % 23 matt % 3d % 23context. get (% 27com. opensymphony. xwork2.dispatcher. httpServletResponse % 27), % 23matt. getWriter (). println (% 23e), % 23matt. getWriter (). flush (), % 23matt. getWriter (). close ()}

Solution:

1. Upgrade struts2 to the latest version, and upgrade struts2 to 2.3.15.1.

2. An error occurred while loading the struts configuration file of the StrutsModuleConfigProvider class under classpath during the upgrade process;

3. Solve the error using the following methods:

1. Update the version number in pom. xml.

<Struts-version> 2.3.15.1 </struts-version>

2. Rewrite the automatic loading configuration file method of struts2 as follows:

Public class StrutsModuleConfigProvider extends XmlConfigurationProvider {
// The file path to be parsed and loaded
Private static final String FILE_PATTERN = "classpath *: com/fx/**/server/META-INF/struts. xml ";
Public StrutsModuleConfigProvider (){
Map <String, String> mappings = new HashMap <String, String> ();
Mappings. put ("-// OpenSymphony Group // XWork 2.1.3 // EN ",
Xwork-2.1.3.dtd ");
Mappings. put ("-// OpenSymphony Group // XWork 2.1 // EN", "xwork-2.1.dtd ");
Mappings. put ("-// OpenSymphony Group // XWork 2.0 // EN", "xwork-2.0.dtd ");
Mappings. put ("-// OpenSymphony Group // XWork 1.1.1 // EN ",
Xwork-1.1.1.dtd ");
Mappings. put ("-// OpenSymphony Group // XWork 1.1 // EN", "xwork-1.1.dtd ");
Mappings. put ("-// OpenSymphony Group // XWork 1.0 // EN", "xwork-1.0.dtd ");
Mappings
. Put (
"-// Apache Software Foundation // DTD Struts Configuration 2.0 // EN ",
Struts-2.0.dtd ");
Mappings
. Put (
"-// Apache Software Foundation // DTD Struts Configuration 2.1 // EN ",
Struts-2.1.dtd ");
Mappings
. Put (
"-// Apache Software Foundation // DTD Struts Configuration 2.1.7 // EN ",
Struts-2.1.7.dtd ");
SetDtdMappings (mappings );
}
/**
* (Non-Javadoc)
*
* @ See com. opensymphony. xwork2.config. ContainerProvider # needsReload ()
*/
@ Override
Public boolean needsReload (){
Return true;
}
/*
* (Non-Javadoc)
*
* @ See com. opensymphony. xwork2.config. ContainerProvider # register (com. opensymphony. xwork2.inject. ContainerBuilder,
* Com. opensymphony. xwork2.util. location. LocatableProperties)
*/
@ Override
Public void register (ContainerBuilder containerBuilder,
LocatableProperties props) throws ConfigurationException {
Super. register (containerBuilder, props );
}
/*
* (Non-Javadoc)
*
* @ See com. opensymphony. xwork2.config. PackageProvider # loadPackages ()
*/
@ Override
Public void loadPackages () throws ConfigurationException {
Super. loadPackages ();
}
@ Override
Protected Iterator <URL> getConfigurationUrls (String fileName)
Throws IOException {
List <URL> urls = new ArrayList <URL> ();
Resource [] resources = getAllResourcesUrl ();
For (Resource resource: resources ){
Urls. add (resource. getURL ());
}
Return urls. iterator ();
}
/**
* Obtain the struts configurations to be searched in the system.
*
* @ Return
* @ Throws IOException
*/
Private Resource [] getAllResourcesUrl (){
ResourcePatternResolver resoler = new PathMatchingResourcePatternResolver ();
Try {
Return resoler. getResources (FILE_PATTERN );
} Catch (IOException e ){
E. printStackTrace ();
}
Return new Resource [0];
}

In the development of large projects, if struts2 is used, there may be many struts2 configuration files. Although struts2 provides automatic loading of wildcards and actions, however, it is difficult to use a single action configuration file for all configuration files. Therefore, many action configuration files are generated. If we store all the configuration files in one configuration file, the collaborative development and testing between projects will become messy, the best development mode is that each module has its own action configuration file, and the system will automatically search for all the configuration files and use the automatic loading method to complete struts2 initialization.

Although in struts2. configure the config parameter in the xml file and write the path of the configuration file to be loaded in it, separated by commas (,). This is difficult for large projects to implement, the best way is to use the automatic scanning method. We can extend the ConfigurationProvider interface of struts2, in the web. configure the custom loading class in xml to solve the problem of automatic loading of the struts2 configuration file.

In addition, the following error is reported when the struts2 vulnerability is upgraded to 2.3.15.1.

Java. lang. NoSuchMethodError: ognl. SimpleNode. isEvalChain (Lognl/OgnlContext;) Z

The reason is that the ognl version also needs to be upgraded to 3.0.6.

This article permanently updates the link address: