Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2014-0114 PoC — Apache Struts 输入验证错误漏洞

Source
https://github.com/rgielen/struts1filter
Associated Vulnerability
Title:Apache Struts 输入验证错误漏洞 (CVE-2014-0114)
Description:Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 1.x版本至1.3.10版本存在输入验证错误漏洞。攻击者利用该漏洞可以执行任意代码。
Description
A request parameter filter solution for Struts 1 CVE-2014-0114 based on the work of Alvaro Munoz and the HP Fortify team
Readme
struts1filter
=============

A request parameter filter solution for [Apache Struts 1](http://struts.apache.org/) [CVE-2014-0114](https://issues.apache.org/jira/browse/STR-3220) based on the work of [Alvaro Munoz and the HP Fortify team](http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VDqkCdTLeT4).

To use this filter, add the following filter declaration along with appropriate mapping to the web.xml descriptor
of the Apache Struts 1 application to protect:

```
<filter>
    <filter-name>ParamWrapperFilter</filter-name>
    <filter-class>net.rgielen.struts1.filter.ParamWrapperFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ParamWrapperFilter</filter-name>
    <servlet-name>YOUR ACTION SERVLET</servlet-name>
</filter-mapping>
```

The filter comes with a default regular expression to match harmful parameter names,
 which might be overridden by explicit configuration:
 
```
<filter>
    <filter-name>ParamWrapperFilter</filter-name>
    <filter-class>net.rgielen.struts1.filter.ParamWrapperFilter</filter-class>
    <init-param>
        <param-name>excludeParams</param-name>
        <param-value>(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*</param-value>
    </init-param>
</filter>
...
```

The filter is released Maven Central. Use the following Maven dependency declaration to incorporate it in your project
(Ivy, Gradle and SBT accordingly):
```
<dependency>
    <groupId>net.rgielen</groupId>
    <artifactId>struts1filter</artifactId>
    <version>1.0.0</version>
</dependency>
```
It can also be downloaded directly. Use [the Central Repository Search](http://search.maven.org/) with the coordinates
provided above to find and download the jar.
File Snapshot

 [4.0K]  /data/pocs/1e2a9d6ec0326548362996ba04d66230360d3740
├── [ 11K]  LICENSE
├── [4.2K]  pom.xml
├── [1.7K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  net
                └── [4.0K]  rgielen
                    └── [4.0K]  struts1
                        └── [4.0K]  filter
                            └── [7.4K]  ParamWrapperFilter.java

7 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.