Summary
A vulnerability introduced by manipulating parameter prefixed with "action:" to obey servlet/url restrictions for actions in the same package
Who should read this |
All Struts 2 developers and users |
---|---|
Impact of vulnerability |
Permissions, Privileges, and Access Controls |
Maximum security rating |
Important |
Recommendation |
Developers should immediately upgrade to Struts 2.3.15.2 |
Affected Software |
Struts 2.0.0 - Struts 2.3.15.1 |
Reporter |
Zhangyan (L), Huawei PSIRT |
CVE Identifier |
Problem
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "action:". This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.2 the information following "action:" can easily be manipulated to access restricted content of actions in the same package.
Proof of concept
Modify web.xml in the Struts Blank app as follow:
<security-constraint> <web-resource-collection> <web-resource-name>HelloWorld</web-resource-name> <url-pattern>/example/HelloWorld.action</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>admin</role-name> </security-role>
Thus adds a security constraint on action HelloWorld.action - try to open it directly and you will get Permission Denied error. To obey that use the below url:
http://host/struts2-blank/example/Login.action?action:HelloWorld
Solution
DefaultActionMapper was changed to forward request to the requested action by "action:" prefix - thus means instead of just updating current ActionMapping, the DefaultActionMapper creates a new result - ServletDispatchResult - and executes it.
Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.
Backward Compatibility
After upgrading to Struts >= 2.3.15.2, applications using the "action:" should still work as expected.
It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library.