Summary
Possible DoS attack when usingURLValidator
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible DoS attack when using URLValidator |
Maximum security rating | Low |
Recommendation | Upgrade to Struts 2.3.29 or Struts 2.5.13 |
Affected Software | Struts 2.3.20 - 2.3.28.1 Struts 2.5 - 2.5.12 |
Reporter | ASAI Ken tc535mr2 at gmail dot com |
CVE Identifier | CVE-2016-4465 |
Problem
If an application allows enter na URL field in a form and built-in URLValidator
is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Solution
Upgrade to Apache Struts version 2.3.29 or 2.5.13.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
You can redefine RegEx used by URLValidator
as below:
<validator type="url"> <param name="fieldName">myHomePage</param> <param name="urlRegex">^(https?|ftp):\\/\\/(([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+(:([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+)?@)?(#?)((([a-z0-9]\\.|[a-z0-9][a-z0-9-]*[a-z0-9]\\.)*[a-z][a-z0-9-]*[a-z0-9]|((\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5])\\.){3}(\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5]))(:\\d+)?)(((\\/{0,1}([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)*(\\?([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?)?)?(#([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?$</param> <message>Invalid homepage url</message> </validator>