A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Maximum security rating
Developers should immediately upgrade to Struts 18.104.22.168
Struts 2.0.0 - Struts 2.3.15
Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 22.214.171.124 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
Proof of concept
In the Struts Showcase App, open following URLs.
DefaultActionMapper was changed to drop the features involved with "redirect:"/"redirectAction:"-prefixed parameters completely - see also S2-016.
After upgrading to Struts >= 126.96.36.199, applications using the "redirect:" / "redirectAction:" functionality will no longer work properly. Please investigate your code to replace such expressions with proper fixed navigation rules.
It is strongly recommended to upgrade to Struts 188.8.131.52, which contains the corrected Struts2-Core library.