Summary
When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
Who should read this |
All Struts 2 developers |
|---|---|
Impact of vulnerability |
CSRF protection weakening |
Maximum security rating |
Moderate |
Recommendation |
Developers should upgrade to Struts 2.3.4.1 |
Affected Software |
Struts 2.0.0 - Struts 2.3.4 |
Original JIRA Tickets |
|
Reporter |
James K. Williams |
CVE Identifier |
CVE-2012-4386 |
Problem
The Struts 2 token mechanism (token tag and token interceptors) was originally targeted at providing double submit check for forms.
In addition the mechanism basically qualifies for CSRF protection by implementing the Synchronizer Token Pattern, as described in the OWASP CSRF Prevention Cheat Sheet.
When used for that purpose, a possible attacker might manipulate a request by changing the token name configuration parameter to match a String typed session attribute known to him by name and value, along with changing the token value parameter to the value of the said session attribute. The token check mechanism is then bypassed by the existent session attribute matching the request's token configuration.
Solution
As of Struts 2.3.4.1, token session attribute names are decoupled from token parameter names by namespace prefixing.
Please upgrade to Struts 2.3.4.1.