Apache Struts 2 Documentation > Home > Security Bulletins > S2-004
#editReport()

Summary

Directory traversal vulnerability while serving static content

Who should read this All Struts 2 developers
Impact of vulnerability Read access to server filesystem resources (under certain application server environments)
Maximum security rating Important
Recommendation Developers should upgrade to Struts 2.0.12
Affected Software Struts 2.0.0 - Struts 2.0.11.2
Original JIRA Ticket WW-2779
Reporter Csaba Barta and László Tóth, PricewaterhouseCoopers

Problem

The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs having a context relative path starting with "/struts/".

FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) have a security vulnerability that allows an attacker to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths, like:

http://localhost:8080/struts2-blank-2.0.11.1/struts..

http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f

http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Login.class/

Although not all container are vulnerable to this, the Struts2 dispatcher logic has to prevent access to static content outside the static resource folders.

Solution

As of Struts 2.0.12, the dispatcher logic was improved to correctly decode and normalize the request path before checking if static content serving applies for a given request.

You can obtain Struts 2.0.12 as a drop in replacement for Struts 2.0.11.2 to get the fixed Struts 2 core library.