Home > Article > Operation and Maintenance > Example analysis of Struts2 framework site risks
1. Overview
An open source project sponsored by the Apache Software Foundation (ASF) is Struts. The project started as a fork of the Jakarta project and was subsequently promoted to a top-level project of the ASF. By using Java Servlet/JSP technology, it implements the application framework [Web Framework] based on the Model-View-Controller [MVC] design pattern of Java EE Web applications. It is a classic product in the MVC classic design pattern.
In the early days of the development of Java EE Web applications, in addition to using Servlet technology, it was generally developed using a mixture of HTML and Java code in the source code of JavaServer Pages (JSP). These two methods are inevitable in mixing performance and business logic code, which brings huge complexity to early development and later maintenance. In order to get rid of the above constraints and limitations and clearly separate the business logic code from the presentation layer, in 2000, Craig McClanahan adopted the MVC design pattern to develop Struts. This framework product was once regarded as the most extensive and popular JAVA WEB application framework
Struts2 is a Web application framework based on the MVC design pattern. It is essentially equivalent to a servlet. In the MVC design pattern, Struts2 serves as a controller to establish data interaction between the model and the view. Struts 2 is the next generation product of Struts. It is a new Struts 2 framework that merges the technologies of struts 1 and WebWork
With the popularity of the Struts2 framework, more and more enterprise units are using the Struts2 framework for development. High-risk vulnerabilities have been exposed many times in recent years. Many government sites, banks, large Internet companies and other units have been affected, such as : In December 2016, Jingdong 12G user data was leaked, including usernames, passwords, emails, QQ numbers, phone numbers, ID cards and other dimensions. The data amounted to tens of millions of pieces. The reason originated from 2013 Security vulnerabilities in Struts 2. At that time, almost all Internet companies and a large number of banks and government agencies in the country were affected, resulting in a large number of data leaks. Every time a vulnerability broke out in struts2, major Internet vulnerability platforms also received multiple feedbacks such as:
#The code execution problem of Struts2 dates back to 2010, when Meder Kydyraliev from the Google Security Team discovered that the parameter interceptor could be bypassed by using unicde encoding for special characters. The filtering of "#" caused code execution problems. The official vulnerability number was S2-003,
Looking back at the struts2 vulnerability history, we found that the official was not to blame. First of all, developers did not have strong security awareness. Although they took measures Basic security measures, but in name only. Secondly, we feel that the official repair measures lack strength and seem to be only perfunctory, without truly solving the root cause of the problem. Furthermore, the official openness spirit is really shocking. They even directly posted the PoC of the vulnerability on the official website. This gave many people the opportunity to further study the exploitation of the vulnerability. This is also one of the reasons why the problem is more serious.
Struts2 vulnerabilities that have a relatively large impact and are widely exploited:
CVE-2010-1870XWork ParameterInterceptors bypass allows OGNLstatement execution
CVE-2012-0392struts2 DevMod Remote Command Execution Vulnerability
CVE-2011-3923Struts
CVE-2013-1966Struts2
CVE-2013-2251Struts2
Struts2
Struts2
CNVD-2016-02506, CVE-2016-3081, affected versions Struts 2.3.20 - StrutsStruts 2.3.28 (2.3 .20.3 and 2.3.24.3 except)
CVE number: CVE-2016-4438 Struts (S2-037) remote code execution vulnerability, affected version: Struts 2.3.20 - Struts Struts 2.3.28.1
CVE-2017-5638 Affected versions: Struts 2.3.5 – Struts 2.3.31
Struts 2.5 –Struts 2.5.10
For other details, please refer to the struts2 official website Vulnerability history:
https://cwiki.apache.org/confluence/display/WW/Security Bulletins
In view of the Struts2 framework with frequent vulnerabilities, we conducted a survey and statistics on the distribution of the Struts framework in the province. By fingerprinting the sites of individual cities, we mapped out the use of the Strust2 framework in various cities in the province. The distribution chart is as follows:
Specific table data:
| ##Serial number | Industry type | Quantity | Percentage |
| Government Department | 447 | 28.29% | |
| Educational Institution | 155 | 9.80% | |
| Financial Industry | 110 | 6.96% | |
| Insurance Industry | 28 | 1.77% | |
| Securities Industry | 14 | 0.88% | |
| Energy Industry | 8 | 0.50% | |
| Transportation Industry | 93 | 5.88% | |
| Telecom operator | 114 | 7.21% | |
| Internet enterprise | 398 | 25.18% | |
| Other companies | 213 | 13.48 % |
We conduct vulnerability detection on the collected sites using Struts2 middleware. This time, we use several high-risk vulnerabilities that have a relatively large impact on the Internet to verify and detect vulnerabilities (S2-045, S2-037, S2-032, S2-016). After testing 1580 site samples, it was found that there are still some sites where Struts2 vulnerabilities have not been repaired. The statistics of the sites with detected vulnerabilities are as follows:
| Number of vulnerabilities | ||
|---|---|---|
| 3 | 2 | |
| 2 | ##3 | |
| 1 | 4 | |
| 2 | 5 | |
| 2 | During the detection, we found that many websites had old vulnerabilities before Stuts2 that had not been repaired. Therefore, among the Stuts2 vulnerabilities, registered users of the website were nakedly exposed to hacker attacks. |
As the situation becomes increasingly complex, information security has become an issue that involves more than just technology. The development of science and technology is a double-edged sword. It can benefit mankind, but it can also have destructive effects. And this point, in addition to the technology itself, may be more grasped from the level of our consciousness. Faced with the huge impact of vulnerabilities, it is enough to alert information security practitioners in the Internet industry: a wake-up call for information security. , should be kept ringing all the time.
2. Back up the website data in a timely manner. When the system is attacked, the attacked system can be restored as soon as possible.
3. Install anti-virus software on the background service, conduct virus scans on the server regularly, and wait for security checks.
4. Pay attention to the latest Internet vulnerabilities in real time and repair the vulnerabilities in the information system in a timely manner.
5. Regularly conduct penetration testing, vulnerability testing and other work on the system to promptly discover problems and repair them in a timely manner to prevent vulnerabilities from being exposed on the Internet.
6. Take systems that are no longer in use offline in a timely manner. Generally, there are more security issues in old systems, and poor management may leak a large amount of sensitive information.
The above is the detailed content of Example analysis of Struts2 framework site risks. For more information, please follow other related articles on the PHP Chinese website!