Versions Compared

Old Version 3

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 4

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Excerpt

A vulnerability introduced by manipulating parameter prefixed with "action:" to obey servlet/url restrictions for actions in the same packageIn Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Permissions, Privileges, and Access Controls

Maximum security rating

Important

Recommendation

Developers should immediately upgrade to Struts 2.3.15.2

Affected Software

Struts 2.0.0 - Struts 2.3.15.1

Reporter

Zhangyan (L), Huawei PSIRT

CVE Identifier

CVE-2013-4310

Problem

...

In Struts 2 before 2.3.15.2 the information following "action:" can easily be manipulated to access restricted content of actions in the same package, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.

Proof of concept

Modify web.xml in the Struts Blank app as follow:

...


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HelloWorld</web-resource-name>
            <url-pattern>/example/HelloWorld.action</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-role>
        <role-name>admin</role-name>
    </security-role>

TBU

Solution

In Struts 2.3.15.2 the action mapping mechanism was changed to avoid circumventing security constraints

Thus adds a security constraint on action HelloWorld.action - try to open it directly and you will get Permission Denied error. To obey that use the below url:

Code Block
http://host/struts2-blank/example/Login.action?action:HelloWorld

Solution

DefaultActionMapper was changed to forward request to the requested action by "action:" prefix - thus means instead of just updating current ActionMapping, the DefaultActionMapper creates a new result - ServletDispatchResult - and executes it.

Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.

...