How do I mitigate the Struts 2 malicious Content-Type attack without updating my Java code?
Attack details S2-045.
Asked
Active
Viewed 1,111 times
2
-
2Related: [Struts 2 S2-016 Vulenerability Mitigation Till Upgrade](http://stackoverflow.com/q/17984864/1700321) – Aleksandr M Mar 10 '17 at 18:01
3 Answers
2
I would add the '%', '}', and '{' characters to the condition as well as they are also not valid Content-type header entries and are present in the POC exploit payload for this vulnerability.
RewriteCond %{HTTP:Content-type} [$\#()%}{]
RewriteRule . [F,L]
Sorry if I got the syntax wrong as I have not tested this entry yet.
P.S. I would even venture to add the '@', '?' and ';' characters, but those may break an application if filtered as I think they are actually technically allowed, but I have never seen those in a content-type header in any of our application implementations.
Opratr
- 36
- 2
-
3True - adding {} really helps. Adding ' and " would be even better. Which gives us `RewriteCond %{HTTP:Content-type} [$\#()%}{'"]` – Tim Funk Mar 10 '17 at 16:24
-
1
-
Point. Also, it's always more difficult to validate input using a black list. A more robust solution would be to develop a white list regex based on the RFC definition of the Content-type header. But this would work in a jiffy. https://www.w3.org/Protocols/rfc1341/4_Content-Type.html – Opratr Mar 10 '17 at 18:13
0
Apache's mod_rewrite can filter out the bad content type.
More advanced checks can be made - but this checks for characters we don't expect to see in the incoming content-type header:
RewriteCond %{HTTP:Content-type} [$\#()]
RewriteRule . [F,L]
Tim Funk
- 869
- 7
- 11
0
You can add this one to your httpd.conf or inside your virtualhost, after you've enabled mod_rewrite:
# MITIGATE CVE-2017-5638
RewriteCond %{HTTP:Content-type} [$\#()%}{'"] [OR]
RewriteCond %{HTTP:Content-Disposition} [$\#()%}{'"] [OR]
RewriteCond %{HTTP:Content-Length} [$\#()%}{'"]
RewriteRule . "-" [F,L]
dAm2K
- 9,923
- 5
- 44
- 47