There are two critical security vulnerabilities of struts 2 revealed earlier last week, which shook the IT companies that have dependency with this framework, and lots of websites in China were reported having this security issues.
The vulnerabilities were marked as S2-016 and S2-017 in Apache foundation’s Security Bulletins.
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:“, followed by a desired navigational target expression.
In Struts 2 before 220.127.116.11 the information following “action:“, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with “redirect:” or “redirectAction:“, followed by a desired redirect target expression.
In Struts 2 before 18.104.22.168 the information following “redirect:” or “redirectAction:” can easily be manipulated to redirect to an arbitrary location.
In order to fix the two issues, we basically need to rewrite the method “handleSpecialParameters” of DefaultActionMapper in Struts2, and add filters to filter unexpected parameters. Here is an example that can be referred to at ITEye.com, a Chinese versioned website.
It is strongly recommended to upgrade to Struts 22.214.171.124, which contains the corrected Struts2-Core library.