You are here

V-200: Apache Struts DefaultActionMapper Redirection and OGNL Security Bypass Vulnerabilities

July 18, 2013 - 6:00am

Addthis

PROBLEM:

Two weaknesses and multiple vulnerabilities have been reported in Apache Struts

PLATFORM:

Apache Struts 2.x

ABSTRACT:

The vulnerabilities can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions

REFERENCE LINKS:

Secunia Advisory SA54118
Apache Security Bulletin S2-16
Apache Security Bulletin S2-17
CVE-2013-2248
CVE-2013-2251

IMPACT ASSESSMENT:

High

DISCUSSION:

1) Input passed via the "redirect:" and "redirectAction:" prefixing parameters is not properly verified in the DefaultActionMapper class (org.apache.struts2.dispatcher.mapper.DefaultActionMapper) before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to an affected script hosted on a trusted domain.

2) An input sanitization error when handling the "action:", "redirect:", and "redirectAction:" prefixing parameters in the DefaultActionMapper class (org.apache.struts2.dispatcher.mapper.DefaultActionMapper) can be exploited to e.g. inject and execute arbitrary Java code via OGNL (Object-Graph Navigation Language) expressions.

IMPACT:

Security Bypass
Spoofing

SOLUTION:

Vendor recommends updating to version 2.3.15.1

Addthis