|Home > Security Bulletins > S2-016|
A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
|Who should read this||All Struts 2 developers and users|
|Impact of vulnerability||Remote command execution|
|Maximum security rating||Highly Critical|
|Recommendation||Developers should immediately upgrade to Struts 18.104.22.168|
|Affected Software||Struts 2.0.0 - Struts 2.3.15|
|Reporter||Takeshi Terada of Mitsui Bussan Secure Directions, Inc.|
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 22.214.171.124 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
In the Struts Blank App, open following URLs.
DefaultActionMapper was changed to sanitize "action:"-prefixed information properly. The features involved with "redirect:"/"redirectAction:"-prefixed parameters were completely dropped - see also S2-017.
|It is strongly recommended to upgrade to Struts 126.96.36.199, which contains the corrected Struts2-Core library.|