Apache Struts Update Patches Two Vulnerabilities

Type threatpost
Reporter Chris Brook
Modified 2013-10-18T17:24:33


The group behind Apache have pushed out a new version of Struts, fixing two issues in the framework that were giving developers difficulties over the past several weeks.

The Apache Software Foundation posted version of the framework online Tuesday. The release fixes an access control vulnerability and fixes a problem with the parameter “action: prefix” that existed in a previous build.

Related Posts

Windows PDF Library Flaw Puts Edge Users at Risk for RCE

August 9, 2016 , 2:59 pm

The Changing Face of Pseudo-Darkleech

July 5, 2016 , 2:31 pm

Bloatware Insecurity Continues to Haunt Consumer, Business Laptops

May 31, 2016 , 11:11 am

The broken access control vulnerability was thought to be fixed in but contained a bug in the mapping mechanism that could be used to bypass security constraints. The vulnerability was discovered by two researchers at Huawei’s Product Security Incident Response Team but has been fixed in Two constants were added that now prevent those bypasses.

The problem with “action: prefix” is actually an old problem too. It popped up last month after it was reported on WooYun, a third party Chinese platform for reporting security bugs. It was discovered that on manipulating parameters prefixed with “action:”/”redirect:/”redirectAction:” could lead to remote command execution.

WooYun warned last weekend the same remote execution vulnerability was affecting Ona Mae, a Japanese domain registrar, however that website appears to be working fine now.

Since the broken access control vulnerability has been given an important security rating, anyone who uses the framework is being encouraged to download the updates. is available in either the full distribution, or in one of three separate distributions: the library, source, example and documentation portions.

Struts is an open source framework used by developers to create Java-based web apps.