Two vulnerabilities have been identified in Apache Struts, which could be exploited by attackers to bypass security restrictions or gain knowledge of sensitive information.

The first issue is caused by input validation errors in "FilterDispatcher" and "DefaultStaticContentLoader" when processing user-supplied requests, which could allow attackers to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths.

The second vulnerability is caused by an error in XWork, which could allow a malicious user to bypass the "#"-usage protection built into the ParametersInterceptor and manipulate server side context objects.

Affected Products

Apache Struts versions 2.0.0 through 2.0.11.2

Solution

Upgrade to Apache Struts version 2.0.12 :
http://people.apache.org/builds/struts/2.0.12/

References

http://www.vupen.com/english/advisories/2008/3003
http://struts.apache.org/2.x/docs/s2-003.html
http://struts.apache.org/2.x/docs/s2-004.html

Credits

Vulnerabilities reported by Csaba Barta and Laszlo Toth (PricewaterhouseCoopers), and Meder Kydyraliev (Google Security Team).

Changelog

2008-11-05 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.