OpenSymphony

Opensymphony and the WebWork team are proud to announce the release of
WebWork version 2.2.6.

This release, approximately 3 months after WebWork 2.2.5, is a
maintainance release, due to a critical security issue found in XWork,
allowing users to execute arbituary any OGNL expression. See here for more details

* Release Notes
* Changelog
* Download here

This release is backwords compatible with WebWork 2.2.5 and is a drop
in replacement.

We would like to thank both users and contributors of WebWork for
helping out, submiting patches, testing, providing feedback and
participating in various discussion.

The WebWork Development Team

Posted by Rainer Hermanns at 04:26 PM | Permalink

The OpenSymphony XWork team is proud to announce the release of XWork 1.2.3 and XWork 2.0.4, the latest releases in the 1.2 and 2.0 branches of XWork, a command pattern framework, which forms the core of the WebWork 2 and Struts 2 frameworks.

This release specifically addresses a critical security issue allowing users to execute arbituary any OGNL expression.
We encourage all users of XWork 1.2.x/2.0.x, WebWork 2.2.x and Struts 2.0.x to update to these releases.

• Download here

Summary

Remote code exploit on form validation error

Who should read this: All XWork 1.2.x, XWork 2.x, WebWork 2.2.x, Struts 2 developers
Impact of vulnerability: Remote code execution
Maximum security rating: Critical
Recommendation: Developers should either apply the patch or upgrade XWork immediately
Affected Software: WebWork 2.1 (with altSyntax enabled), WebWork 2.2.0 - WebWork 2.2.5, Struts 2.0.0 - Struts 2.0.8
Non-Affected Software: WebWork 2.0, WebWork 2.1 (with altSyntax disabled, which is the default)
Original JIRA Ticket: WW-2030

Problem

The 'altSyntax' feature of WebWork 2.1+ and Struts 2 allows OGNL expressions to be inserted into text strings and is processed recursively. This allows a malicious user to submit a string, usually through an HTML text field, containing an OGNL expression that will then be executed by the server if the form validation has failed. For example, say we had this form that required the 'phoneNumber' field to not be blank:

<s:form action="editUser">
  <s:textfield name="name" />
  <s:textfield name="phoneNumber" />
</s:form>

The user could leave the 'phoneNumber' field blank to trigger the validation error, then populate the 'name' field with "%{1+1}". When the form is re-displayed to the user, the value of the 'name' field will be '2'. The reason is the value field is, by default, processed as "%{name}", and since OGNL expressions are evaluated recursively, it is evaluated as if the expression was "%{ %{1+1}}".

The OGNL parsing code is actually in XWork and not in WebWork 2 or Struts 2.

Solution

The fixed version of XWork changes the OGNL parsing so that it is not recursive. Therefore, in the example above, the result will be the expected "%{1+1}". You can either obtain the latest version of WebWork 2 or Struts 2, which contains the fixed XWork library, or download the fixed XWork library directly. Alternatively, you can obtain the patch and apply it to the XWork source code yourself.

We would like to thank both users and contributors of XWork, WebWork and Struts2 for
helping out, submiting patches, testing, providing feedback and
participating in various discussion.

The XWork Development Team

Posted by Rainer Hermanns at 03:55 PM | Permalink

OpenSymphony and the OSCache team are proud to announce the release of OSCache version 2.4.1, which was released on 7th July 2007.

This maintenance release of 2.4 has two bug fixes:

* The cacheFlushed method is not being invoked on the CacheEntryEventListener
* CacheFilter max-age parameter MAX_AGE_NO_INIT not set properly

This release can be downloaded now.

Posted by Lars Torunski at 03:07 PM | Permalink