Matthew Remacle (Remy) digs into the newly disclosed Apache Struts2 CVE-2023-50164 file upload vulnerability. This weakness allows an attacker to drop a web shell that can be called remotely through a public interface over defined routes.
Apache Struts2 is an open-source Java web application development framework used in various enterprise-grade applications and business use cases.
The vulnerability occurs when a multipart form request is used, and the constraints for path normalization are bypassed.
The attacker can inject a web shell (e.g., shell.jsp) into the file system, which can then be remotely called.
The exploitation of this vulnerability depends on the specific implementation of Apache Struts2 in a vendor's product and the defined actions' path.
Check out Bugcrowd.com - we can manage the whole thing for you and we can even give your dev team remediation advice/information so that they can fix it.
We've been doing this stuff for several years, so we'll be able to help you get everything setup and ready to go no problem :)
Thanks, I've actually seen it and I've added to my research. I just looking for more feedback I want to make sure I'm helping improve a real problem. Can I post on the Bug crowd's forums to gather more feedback?
* Edit *
I also sent a tweet to @ZephrFish to get his input too :)
There are a ton of different directions that you can head in and focus on. I encourage you to start/look at stuff that you're genuinely interested in and excited about.
(Disclosure: I work for Bugcrowd) That's why we suggest going with a 'managed' bounty. That's where Bugcrowd triages all of the incoming bugs and then passes along the valid bugs for you to prioritize and reward. It cuts out all of the noise and only gives you the results.
Every startup with significant bounty programs I've talked to either staff an internal triage team or outsource triage --- but, either way, they are spending extra money on triage. I haven't talked to any that don't do this.
The concerns I've had raised to me about the value of these programs in practice all assume you're already paying extra to triage.
Right but the cost differential between staffing it yourself and paying someone else to do it is substantial. Doing it yourself will cost you 3-5x more than paying someone else who is able to do it at scale.
Agreed with others that it's worth considering a small private program. You can do time boxed bounties with a capped cost, that way you're getting results without committing to a huge budget. Check out Bugcrowd's "on demand" bounty: https://bugcrowd.com/solutions
New programs are launching all the time or the scope of current programs is expanding out to include new products or features. It's never too late to get started, there's actually more work than researchers at the moment and it will be like that for many, many years to come.
In terms of how to get started, I definitely suggest monitoring the various bug bounty sites to see what's new and if a bounty's scope has expanded.
Yeah,running a public program and are handling a lot of submissions (pretty typical), handling the volume of bugs and evaluating them quickly can be quite tricky. Not only is it important for the company because you want to make sure you're aware of what's out there, but you also want to make sure the security researchers have a great experience.
Apache Struts2 is an open-source Java web application development framework used in various enterprise-grade applications and business use cases.
The vulnerability occurs when a multipart form request is used, and the constraints for path normalization are bypassed.
The attacker can inject a web shell (e.g., shell.jsp) into the file system, which can then be remotely called.
The exploitation of this vulnerability depends on the specific implementation of Apache Struts2 in a vendor's product and the defined actions' path.