Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 3rd Class
Cadet 3rd Class
4349 views

HPE Fortify complains my application has a Struts 2 issue (11512), but I don't use Struts 2 at all.

As the subject, HPE Forify complains a phantom high issue regarding the Struts 2, but I don't use Struts 2 at all.   Is it a bug of Fortify?  How do I solve it (I am challenged by my customers badly)?

Here is the details from the report

OGNL Expression Injection: Dynamic Method Invocation ( 11512 )
CWE: 94,95
Page:https://webitr.gov.taipei:443/WebITR/webformlogic/xforward!%23m1%3d%23parameters.
setWI06152016result[0],%23m1.toString=123&setWI06152016result=none&
Fix:
Upgrade to the latest Struts 2 version and disable the "Dynamic Method Invocation" feature in the Struts 2 configuration. In
order to disable this feature use the struts.enable.DynamicMethodInvocation property either as a Struts 2 property
setting:
<constant name="struts.enable.DynamicMethodInvocation" value="false" />
or in struts.properties:
struts.enable.DynamicMethodInvocation = false
or in web.xml include this init-param node in the Struts 2 filter:
<init-param>
<<ppaarraamm--nvaalmeu>e>sftarlustes.</enpaabralem-.Dvaylnauem>icMethodInvocation</param-name>
<param-value>false</param-value>
</init-param>

0 Likes
2 Replies
Admiral Admiral
Admiral

Is it repeatable when you use "Review Vulnerability" and then "Retest"?  If so try using the option there to intercept the traffic using a proxy and you will see exactly what constitutes the finding.  If you're having difficulty interpreting what you see then I would suggest opening a support case.

0 Likes
Micro Focus Expert
Micro Focus Expert

As a quick refresher  --   You can open the Review Vulnerability tool by double-clicking on the Vulnerability as it is listed in the bottom Summary Information pane, or via a right-click menu found on the same listed item.  To hook this review tool through a proxy, such as the included Web Proxy, you must first edit the Current Scan settings to point to the proxy listener port that you will be running.  This is found under the Edit menu > Current Scan Settings > Proxy panel.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.