|Home > Security Bulletins > S2-017|
A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
|Who should read this||All Struts 2 developers and users|
|Impact of vulnerability||Open redirect|
|Maximum security rating||Important|
|Recommendation||Developers should immediately upgrade to Struts 184.108.40.206|
|Affected Software||Struts 2.0.0 - Struts 2.3.15|
|Reporter||Takeshi Terada of Mitsui Bussan Secure Directions, Inc.|
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 220.127.116.11 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
In the Struts Showcase App, open following URLs.
DefaultActionMapper was changed to drop the features involved with "redirect:"/"redirectAction:"-prefixed parameters completely - see also S2-016.
After upgrading to Struts >= 18.104.22.168, applications using the "redirect:" / "redirectAction:" functionality will no longer work properly. Please investigate your code to replace such expressions with proper fixed navigation rules.
|It is strongly recommended to upgrade to Struts 22.214.171.124, which contains the corrected Struts2-Core library.|