Two Security Vulnerability of Struts 2

strutsThere are two critical security vulnerabilities of struts 2 revealed earlier last week, which shook the IT companies that have dependency with this framework, and lots of websites in China were reported having this security issues.

The vulnerabilities were marked as S2-016 and S2-017 in Apache foundation’s Security Bulletins.

S2-016
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:“, followed by a desired navigational target expression.

In Struts 2 before 2.3.15.1 the information following “action:“, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

S2-017
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with “redirect:” or “redirectAction:“, followed by a desired redirect target expression.

In Struts 2 before 2.3.15.1 the information following “redirect:” or “redirectAction:” can easily be manipulated to redirect to an arbitrary location.

 

In order to fix the two issues, we basically need to rewrite the method “handleSpecialParameters” of DefaultActionMapper in Struts2, and add filters to filter unexpected parameters. Here is an example that can be referred to at ITEye.com, a Chinese versioned website.

It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library.

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *