Versions Compared

Old Version 3

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Summary

Excerpt

A vulnerability introduced by manipulating parameter prefixed with "action:" to obey servlet/url restrictions for actions in the same packageBroken Access Control Vulnerability in Apache Struts2

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Permissions, Privileges, and Access Controls

Maximum security rating

Important

Recommendation

Developers should immediately upgrade to Struts 2.3.15.23

Affected Software

Struts 2.0.0 - Struts 2.3.15.1 2

Reporter

Zhangyan (L) Zhu Gang, Zhang Jin, Huawei PSIRT

CVE Identifier

CVE-2013-4310

Problem

The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "action:". This mechanism was action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.2 the information following "action:" can easily be manipulated to access restricted content of actions in the same package.

Proof of concept

Modify web.xml in the Struts Blank app as follow:

...


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HelloWorld</web-resource-name>
            <url-pattern>/example/HelloWorld.action</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-role>
        <role-name>admin</role-name>
    </security-role>

3, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.

Solution

In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper:

  • struts.mapper.action.prefix.enabled - when set to false support for "action:" prefix is disabled, set to false by default
  • struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with "action:" prefix must be in the same namespace as current action

Thus adds a security constraint on action HelloWorld.action - try to open it directly and you will get Permission Denied error. To obey that use the below url:

Code Block
http://host/struts2-blank/example/Login.action?action:HelloWorld

Solution

DefaultActionMapper was changed to forward request to the requested action by "action:" prefix - thus means instead of just updating current ActionMapping, the DefaultActionMapper creates a new result - ServletDispatchResult - and executes it.

...

Note
titleBackward Compatibility

After upgrading to Struts >= 2.3.15.23, applications using the "action:" should still work as expectedwill stop working. You can use above constants to steer that behaviour.

Warning

It is strongly recommended to upgrade to Struts 2.3.15.23, which contains the corrected Struts2-Core library.