Summary
Excerpt |
---|
A vulnerability introduced by manipulating parameter prefixed with "action:" to obey servlet/url restrictions for actions in the same packageIn Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints. |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Permissions, Privileges, and Access Controls |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.2 |
Affected Software | Struts 2.0.0 - Struts 2.3.15.1 |
Reporter | Zhangyan (L), Huawei PSIRT |
CVE Identifier |
Problem
...
In Struts 2 before 2.3.15.2 the information following "action:" can easily be manipulated to access restricted content of actions in the same package, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.
Proof of concept
Modify web.xml in the Struts Blank app as follow:
...
<security-constraint>
<web-resource-collection>
<web-resource-name>HelloWorld</web-resource-name>
<url-pattern>/example/HelloWorld.action</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
TBU
Solution
In Struts 2.3.15.2 the action mapping mechanism was changed to avoid circumventing security constraints
Thus adds a security constraint on action HelloWorld.action - try to open it directly and you will get Permission Denied error. To obey that use the below url:
Code Block |
---|
http://host/struts2-blank/example/Login.action?action:HelloWorld |
Solution
DefaultActionMapper was changed to forward request to the requested action by "action:" prefix - thus means instead of just updating current ActionMapping, the DefaultActionMapper creates a new result - ServletDispatchResult - and executes it.
Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.
...