Summary
Excerpt |
---|
A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirectsBroken Access Control Vulnerability in Apache Struts2 |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Open redirect Permissions, Privileges, and Access Controls |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.13 |
Affected Software | Struts 2.0.0 - Struts 2.3.15.2 |
Reporter | Takeshi Terada of Mitsui Bussan Secure Directions, Inc. Zhu Gang, Zhang Jin, Huawei PSIRT |
CVE Identifier |
Problem
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
Proof of concept
In the Struts Showcase App, open following URLs.
Code Block http://host/struts2-showcase/fileupload/upload.action?redirect:http://www.yahoo.com/
Code Block http://host/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.google.com/%23
Solution
...
3, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.
Solution
In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper:
- struts.mapper.action.prefix.enabled - when set to false support for "action:" prefix is disabled, set to false by default
- struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with "action:" prefix must be in the same namespace as current action
Note | ||
---|---|---|
| ||
After upgrading to Struts >= 2.3.15.13, applications using the "redirect:" / "redirectActionaction:" functionality will no longer work properly. Please investigate your code to replace such expressions with proper fixed navigation ruleswill stop working. You can use above constants to steer that behaviour. |
Warning |
---|
It is strongly recommended to upgrade to Struts 2.3.15.13, which contains the corrected Struts2-Core library. |