Struts 2 development mode
Description
Apache Struts 2 includes a development mode feature (devMode) that can be enabled in the struts.properties configuration file. When enabled, this mode provides enhanced logging, debugging information, and an OGNL (Object-Graph Navigation Language) console to help developers inspect application state and troubleshoot issues during development. However, if this setting remains enabled in production environments, it exposes a critical security vulnerability by allowing unauthenticated access to OGNL expression evaluation through request parameters, effectively creating an exploitable backdoor.
Remediation
Immediately disable development mode on all production and staging servers by following these steps:
1. Locate the struts.properties file (typically in WEB-INF/classes/ or src/main/resources/)
2. Set devMode to false:
struts.devMode = false
3. If using struts.xml configuration, ensure devMode is not enabled:
<struts>
<constant name="struts.devMode" value="false" />
</struts>4. Restart the application server to ensure the configuration change takes effect.
5. Verify the fix by attempting to access the debug console (it should no longer be available).
Best Practices:
- Implement separate configuration files for development and production environments
- Use build processes that automatically disable devMode for production deployments
- Conduct security reviews of configuration files before production releases
- Monitor application logs for any OGNL-related errors that might indicate exploitation attempts