Summary
Directory traversal vulnerability while serving static content
Who should read this |
All Struts 2 developers |
---|---|
Impact of vulnerability |
Read access to server filesystem resources (under certain application server environments) |
Maximum security rating |
Important |
Recommendation |
Developers should upgrade to Struts 2.0.12 |
Affected Software |
Struts 2.0.0 - Struts 2.0.11.2 |
Original JIRA Ticket |
|
Reporter |
Csaba Barta and László Tóth, PricewaterhouseCoopers |
Problem
The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs with a context relative path starting with "/struts/".
FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) have a security vulnerability that allows an attacker to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths, like:
http://localhost:8080/struts2-blank-2.0.11.1/struts..
http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f
Although not all container are vulnerable to this, the Struts2 dispatcher logic has to prevent access to static content outside the static resource folders.