• info
• discussion
• exploit
• solution
• references

XWork AltSyntax OGNL Input Validation Vulnerability

Solution:
The vendor released XWork 2.0.4 to address this issue. Please see the references for more information.


Apache Software Foundation Struts 2.0.1

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

OpenSymphony XWork 2.0.1

• OpenSymphony xwork-2.0.4-all.zip
  https://xwork.dev.java.net/files/documents/709/62331/xwork-2.0.4-all.z ip

OpenSymphony XWork 2.0.2

• OpenSymphony xwork-2.0.4-all.zip
  https://xwork.dev.java.net/files/documents/709/62331/xwork-2.0.4-all.z ip

Apache Software Foundation Struts 2.0.2

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

OpenSymphony XWork 2.0.3

• OpenSymphony xwork-2.0.4-all.zip
  https://xwork.dev.java.net/files/documents/709/62331/xwork-2.0.4-all.z ip

Apache Software Foundation Struts 2.0.3

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

Apache Software Foundation Struts 2.0.4

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

Apache Software Foundation Struts 2.0.5

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

Apache Software Foundation Struts 2.0.6

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

Apache Software Foundation Struts 2.0.7

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

Apache Software Foundation Struts 2.0.8

• Apache struts-2.0.9-all.zip
  http://people.apache.org/builds/struts/2.0.9/struts-2.0.9-all.zip

OpenSymphony WebWork 2.1

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip

OpenSymphony WebWork 2.2

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip

OpenSymphony WebWork 2.2.1

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip

OpenSymphony WebWork 2.2.2

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip

OpenSymphony WebWork 2.2.3

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip

OpenSymphony WebWork 2.2.4

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip

OpenSymphony WebWork 2.2.5

• OpenSymphony webwork-2.2.6.zip
  https://webwork.dev.java.net/files/documents/693/62430/webwork-2.2.6.z ip