Struts 2 development mode

Description

Struts 2 has a setting (which can be set to true or false in struts.properties) called devMode (= development mode). When this setting is enabled, Struts 2 will provide additional logging and debug information, which can significantly speed up development.

The development mode flag enables an OGNL injection backdoor allowing the developers to check their Value Stacks with ease and from a handy OGNL console or request parameter. This handy feature for developers turns into a security nightmare if application is released into production servers with this flag on.

Remediation

Struts 2 development mode should be disabled on production servers.

References
Severity
Classification
Tags
  • Code Execution   Configuration