OWASP Insecure Web Components Project/Struts2

Overview
The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass did not cover other cases, allowing the state manipulation of session, request, when " * " is used to configure cookiesName param.

The CookieInterceptor is used to set values in the OGNL stack and action based on the cookie name and value. If an asterisk is present in cookiesName parameter, it will be assumed that all cookie name are to be injected into the OGNL stack and corresponding action. This applies to 'cookiesValue' as well.

Example:

   cookie1, cookie2 *   ...

References:

http://struts.apache.org/release/2.3.x/docs/s2-022.html http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/ http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html