21日信息安全部副总监转来一封邮件,关于OA的重大安全隐患,一是越权访问的问题;二是struts版本问题,经过一段时间的整改,现将问题描述和解决方案及实施过程总结如下:
越权访问漏洞
风险等级:高危
问题类型:程序漏洞
问题描述:
由于OA系统档案查询模块没有对查询者的权限进行完整验证,导致攻击者可以利用该漏洞在查询模块通过修改工号的方式遍历公司所有员工的个人信息。(注:editStaffInfoByCode参数值即工号)
漏洞地址:
curl 'https://oa.*******.com/dependence/queryStaffinfoByStaffId.action' -H 'Cookie: Hm_lvt_0f350e5390b92578122a09670da4e18a=1444457881;JSESSIONID=17F532AA5A02473F18BFC2251D9EB4CD.s39;Hm_lvt_f5127c6793d40d199f68042b8a63e725=1444382434,1444640491,1445232940;Hm_lpvt_f5127c6793d40d199f68042b8a63e725=1445234011' -H 'Origin: https://oa.*******.com' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: zh-CN,zh;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Referer:https://oa.*******.com/dependence/staffInfoAdd.action?editStaffInfoByCode=FX006635&command=detail&selfstaffinfo=showFiled' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' --data-binary '{"staffinfoVo":{"staffinfoEntity":{"staffId":"FX006635"}}}' --compressed
解决方案:
1.修改网站代码,添加权限验证功能,可以划分用户组,根据用户组进行权限划分并严格限制用户的访问;
2.复用管理范围和数据权限功能(mybatis拦截器对查询进行拦截并处理),使数据查询控制在管理范围的范畴内;
3.前端不向后端传递参数,用于查询的工号在后端从redis服务器上直接拉取当前用户的工号;
4.前端传递的参数不使用工号,而使用档案的uuid代理主键,防止攻击者使用伪造数据遍历;
Struts2命令执行漏洞
风险等级:高危
问题类型:程序漏洞
问题描述:
OA系统使用的struts2框架版本较低,存在远程代码执行漏洞,攻击者可利用该漏洞远程进行执行命令、上传脚本后门文件等操作,进而直接获取服务器权限。
漏洞地址:
https://oa.*******.com/main/index.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
解决方案:
1.升级struts2框架到最新版本,将struts2升级到2.3.15.1
2.在升级的过程中导致 StrutsModuleConfigProvider 类在加载classpath 下的struts配置文件出错;
3.通过以下方法解决该错误
1.在pom.xml中更新版本号
<struts-version>2.3.15.1</struts-version>
2.将struts2的自动装载配置文件方法重写如下
public class StrutsModuleConfigProvider extends XmlConfigurationProvider {
//需要解析加载的文件路径
private static final String FILE_PATTERN = "classpath*:com/fx/**/server/META-INF/struts.xml";
public StrutsModuleConfigProvider() {
Map<String, String> mappings = new HashMap<String, String>();
mappings.put("-//OpenSymphony Group//XWork 2.1.3//EN",
"xwork-2.1.3.dtd");
mappings.put("-//OpenSymphony Group//XWork 2.1//EN", "xwork-2.1.dtd");
mappings.put("-//OpenSymphony Group//XWork 2.0//EN", "xwork-2.0.dtd");
mappings.put("-//OpenSymphony Group//XWork 1.1.1//EN",
"xwork-1.1.1.dtd");
mappings.put("-//OpenSymphony Group//XWork 1.1//EN", "xwork-1.1.dtd");
mappings.put("-//OpenSymphony Group//XWork 1.0//EN", "xwork-1.0.dtd");
mappings
.put(
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN",
"struts-2.0.dtd");
mappings
.put(
"-//Apache Software Foundation//DTD Struts Configuration 2.1//EN",
"struts-2.1.dtd");
mappings
.put(
"-//Apache Software Foundation//DTD Struts Configuration 2.1.7//EN",
"struts-2.1.7.dtd");
setDtdMappings(mappings);
}
/**
* (non-Javadoc)
*
* @see com.opensymphony.xwork2.config.ContainerProvider#needsReload()
*/
@Override
public boolean needsReload() {
return true;
}
/*
* (non-Javadoc)
*
* @see com.opensymphony.xwork2.config.ContainerProvider#register(com.opensymphony.xwork2.inject.ContainerBuilder,
* com.opensymphony.xwork2.util.location.LocatableProperties)
*/
@Override
public void register(ContainerBuilder containerBuilder,
LocatableProperties props) throws ConfigurationException {
super.register(containerBuilder, props);
}
/*
* (non-Javadoc)
*
* @see com.opensymphony.xwork2.config.PackageProvider#loadPackages()
*/
@Override
public void loadPackages() throws ConfigurationException {
super.loadPackages();
}
@Override
protected Iterator<URL> getConfigurationUrls(String fileName)
throws IOException {
List<URL> urls = new ArrayList<URL>();
Resource[] resources = getAllResourcesUrl();
for (Resource resource : resources) {
urls.add(resource.getURL());
}
return urls.iterator();
}
/**
* 获取系统中需要搜寻的struts的配置
*
* @return
* @throws IOException
*/
private Resource[] getAllResourcesUrl() {
ResourcePatternResolver resoler = new PathMatchingResourcePatternResolver();
try {
return resoler.getResources(FILE_PATTERN);
} catch (IOException e) {
e.printStackTrace();
}
return new Resource[0];
}