S2-018

Summary

A vulnerability introduced by manipulating parameter prefixed with "action:" to obey servlet/url restrictions for actions in the same package

Problem

The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "action:". This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.2 the information following "action:" can easily be manipulated to access restricted content of actions in the same package.

Proof of concept

Modify web.xml in the Struts Blank app as follow:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HelloWorld</web-resource-name>
            <url-pattern>/example/HelloWorld.action</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-role>
        <role-name>admin</role-name>
    </security-role>

Thus adds a security constraint on action HelloWorld.action - try to open it directly and you will get Permission Denied error. To obey that use the below url:

http://host/struts2-blank/example/Login.action?action:HelloWorld

Solution

DefaultActionMapper was changed to forward request to the requested action by "action:" prefix - thus means instead of just updating current ActionMapping, the DefaultActionMapper creates a new result - ServletDispatchResult - and executes it.

Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.