Summary
Excerpt |
---|
Directory traversal vulnerability while serving static content |
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Read access to server filesystem resources (under certain application server environments) |
Maximum security rating | Important |
Recommendation | Developers should upgrade to a minimum of Struts 2.0.12 or Struts 2.1.6 |
Affected Software | Struts 2.0.0 - 2.0.11.2 Struts 2.1.0 - 2. |
1.2 | |
Original JIRA Ticket | |
---|---|
Reporter | Csaba Barta and László Tóth, PricewaterhouseCoopers |
CVE Identifier | CVE-2008-6505 |
Problem
The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs with having a context relative path starting with "/struts/".
...
Although not all container are vulnerable to this, the Struts2 dispatcher logic has to prevent access to static content outside the static resource folders.
Solution
As of Struts 2.0.12, the dispatcher logic was improved to correctly decode and normalize the request path before checking if static content serving applies for a given request.
You can obtain Struts 2.0.12 as a drop in replacement for Struts 2.0.11.2 to get the fixed Struts 2 core library.
Within the Struts 2.1.x branch, upgrade to at least Struts 2.1.6.