Apache Struts DefaultActionMapper redirect Prefix Vulnerability

2013-08-01T00:00:00
ID SAINT:8B8924409E9AFE277FF0998CBA641AF8
Type saint
Reporter SAINT Corporation
Modified 2013-08-01T00:00:00

Description

Added: 08/01/2013
CVE: CVE-2013-2251
BID: 61189
OSVDB: 95405

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities.

Problem

The **DefaultActionMapper** in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted **redirect:** prefix. This could allow remote attackers to execute arbitrary OGNL code.

Resolution

Upgrade to Struts 2.3.15.1 or higher.

References

<http://struts.apache.org/development/2.x/docs/s2-016.html>

Limitations

This exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

This exploit requires that the Struts Action URL be provided.

Platforms

Windows