Forum Discussion

Robinchien_3128

Nimbostratus

Mar 07, 2017

How to fix apache struts2 s2-045 vulnerable with f5 irule ?

MVP

Mar 08, 2017

Hi Robinchien,

you need to either create a whitelist containing your allowed

Content-Type

request-header values (most secure but sligthly difficult approach) or black-list certain characters (e.g.

) and attack-patterns (e.g.

ognl

memberaccess

getruntime

exec

), which will unlikely used by your application but required to pulloff the s2-045 remote execution (less secure but easy to implement).

Whitelist approach:

when HTTP_REQUEST {
    switch -exact -- [string tolower [HTTP::header value "Content-Type"]] {
        "" - 
        "multipart/form-data" -
        "text/xml; charset=utf-8" - 
        "application/x-www-form-urlencoded" {
             Allow request with empty or white listed "Content-Type" headers
        }
        default {
             Reject request with unknown "Content-Type" headers
            reject
        }
    }
}

Blacklist approach:

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::header value "Content-Type"]] {
        "*@*" - 
        "**" - 
        "*.*" - 
        "*,*" - 
        "*(*" - 
        "*)*" - 
        "*ognl*" - 
        "*memberaccess*" -
        "*getruntime*" - 
        "*exec*" {
             Reject requests with suspicious "Content-Type" headers
            reject
        }
        default {
             Allow request with unsuspicious "Content-Type" headers
        }  
    }
}

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)