...
| Excerpt |
|---|
A vulnerability introduced by manipulating parameters parameter prefixed with "redirectaction:" /"redirectAction:" allows for open redirectsto obey servlet/url restrictions for actions in the same package |
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Open redirect Permissions, Privileges, and Access Controls |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.12 |
Affected Software | Struts 2.0.0 - Struts 2.3.15.1 |
Reporter | Takeshi Terada of Mitsui Bussan Secure Directions, Inc. Zhangyan (L), Huawei PSIRT |
CVE Identifier |
...
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectActionaction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 2 the information following "redirectaction:" or " redirectAction:" can easily be manipulated to redirect to an arbitrary locationaccess restricted content of actions in the same package.
Proof of concept
In the Struts Showcase App, open following URLs.
...
Modify web.xml in the Struts Blank app as follow:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<security-constraint>
<web-resource-collection>
<web-resource-name>HelloWorld</web-resource-name>
<url-pattern>/example/HelloWorld.action</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
|
Thus adds a security constraint on action HelloWorld.action - try to open it directly and you will get Permission Denied error. To obey that use the below url:
| Code Block |
|---|
http://host/struts2- |
...
blank/ |
...
example/ |
...
Login.action? |
...
action:HelloWorld |
Solution
DefaultActionMapper was changed to drop the features involved with "redirect:"/"redirectAction:"-prefixed parameters completely - see also S2-016forward request to the requested action by "action:" prefix - thus means instead of just updating current ActionMapping, the DefaultActionMapper creates a new result - ServletDispatchResult - and executes it.
Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.
| Note | ||
|---|---|---|
| ||
After upgrading to Struts >= 2.3.15.12, applications using the "redirectaction:" / "redirectAction:" functionality will no longer work properly. Please investigate your code to replace such expressions with proper fixed navigation rules.should still work as expected. |
| Warning |
|---|
It is strongly recommended to upgrade to Struts 2.3.15.12, which contains the corrected Struts2-Core library. |