|Home > Security Bulletins > S2-017|
A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Maximum security rating
Developers should immediately upgrade to Struts 220.127.116.11
Struts 2.0.0 - Struts 2.3.15
Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 18.104.22.168 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
In the Struts Showcase App, open following URLs.
DefaultActionMapper was changed to drop the features involved with "redirect:"/"redirectAction:"-prefixed parameters completely - see also S2-016.