Versions Compared

Old Version 1

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 2

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Excerpt

Generated value of token can be predictableWrong excludeParams overrides those defined in DefaultExcludedPatternsChecker

Who should read this

All Struts 2 developers and users

Impact of vulnerability

 If default settings are used, the attacker can compromise internal state of an application

Maximum security rating

Medium

Recommendation

 Developers should immediately upgrade to Struts 2.3.21 or introduce the below change in framework's settings

Affected Software

Struts 2.3.20

Reporter

 Jasper Rosenberg at Cargurus

CVE Identifier

 TBD

Problem

The attacker fetch any given form where a token is present and can predict the next value of the token used to secure form submissionWrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.

Solution

In Struts 2.3.20.1 a better random generator was used to generate unpredictable valuesset of exlude patterns was defined.

Backward compatibility

No backward compatibility problems are expected.

Workaround

...

If you cannot migrate to the latest version it's highly recommended to re-define defaultStack from struts-default.xml to this one below (or any other which is used in your application and drop excludeParams parameter):

Code Block
languagexml
titleRedefined defaultStack
<interceptor-stack name="myDefaultStack">
    <interceptor-ref name="exception"/>
    <interceptor-ref name="alias"/>
    <interceptor-ref name="servletConfig"/>
    <interceptor-ref name="i18n"/>
    <interceptor-ref name="prepare"/>
    <interceptor-ref name="chain"/>
    <interceptor-ref name="scopedModelDriven"/>
    <interceptor-ref name="modelDriven"/>
    <interceptor-ref name="fileUpload"/>
    <interceptor-ref name="checkbox"/>
    <interceptor-ref name="datetime"/>
    <interceptor-ref name="multiselect"/>
    <interceptor-ref name="staticParams"/>
    <interceptor-ref name="actionMappingParams"/>
    <interceptor-ref name="params"/>
    <interceptor-ref name="conversionError"/>
    <interceptor-ref name="validation">
        <param name="excludeMethods">input,back,cancel,browse</param>
    </interceptor-ref>
    <interceptor-ref name="workflow">
        <param name="excludeMethods">input,back,cancel,browse</param>
    </interceptor-ref>
    <interceptor-ref name="debugging"/>
    <interceptor-ref name="deprecation"/>
</interceptor-stack>

and define the following constant in struts.xml

Code Block
languagexml
<constant name="struts.additional.excludedPatterns" value="^(action|method):.*"/>