Struts2 2.3.15 Open Redirect

`CVE Number: CVE-2013-2248  
Title: Struts2 Prefixed Parameters Open Redirect Vulnerability  
Affected Software: Apache Struts v2.0.0 - 2.3.15  
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.  
Issue Status: v2.3.15.1 was released which fixes this vulnerability  
Issue ID by Vender: S2-017  
  
Overview:  
Struts2 is an open-source web application framework for Java.  
Struts2 (v2.0.0 - 2.3.15) is vulnerable to open redirect (and possibly  
HTTP response header injection). This is caused by insecure design of  
prefixed parameters (redirect: and redirectAction:)  
in DefaultActionMapper class of Struts2.  
  
Details:  
Struts2's ActionMapper is a mechanism for mapping between incoming HTTP  
request and action to be executed on the server. DefaultActionMapper is  
a default implementation of ActionMapper. It handles four types of  
prefixed parameters: action:, redirect:, redirectAction: and method:.  
  
Among these four prefixed parameters, redirect: and redirectAction: can  
be used for open redirect attacks.  
  
For example, redirect prefix is used for HTTP redirect.  
  
Normal redirect prefix usage in JSP:  
<s:form action="foo">  
...  
<s:submit value="Register"/>  
<s:submit name="redirect:http://www.google.com/" value="Cancel"/>  
</s:form>  
  
If the cancel button is clicked, redirection is performed.  
  
Request URI for redirection:  
/foo.action?redirect:http://www.google.com/  
  
Resopnse Header:  
HTTP/1.1 302 Found  
Location: http://www.google.com/  
  
Usage of redirectAction: is similar to redirect.  
See Struts2 document for details.  
https://cwiki.apache.org/confluence/display/WW/ActionMapper  
  
The problem is that applications cannot restrict destination URL of  
redirect. Furthermore, prefixed parameters are quite forceful. It means  
that behavior of application which is not intended to accept prefixed  
parameters can also be overwritten by prefixed parameters added to HTTP  
request.  
  
Therefore any struts2 application that use DefaultActionMapper can be  
open redirector simply by adding redirect: / redirectAction: prefixed  
parameters.  
  
The last thing that should be mentioned is that Struts2 passes redirect  
URL to ServletHttpResponse#sendRedirect() even if the URL contains line  
breaks. Impact of this behavior depends on the container server that  
hosts Struts2.  
  
As far as I know, recent versions of Tomcat filters line breaks, but a  
few servers such as WebLogic do not filter line breaks (More precisely,  
WebLogic blocks CR+LF sequence but you can bypass it in several ways).  
In such server environment, the behavior of Struts2 apparently causes  
HTTP response header injection.  
  
Proof of Concept:  
PoC is already disclosed on vender's web page.  
https://struts.apache.org/release/2.3.x/docs/s2-017.html  
  
Below PoC URLs are just quotes from the vender's page.  
http://host/struts2-showcase/fileupload/upload.action?redirect:http://www.yahoo.com/  
http://host/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.google.com/%23  
  
HTTP response header injection PoC.  
http://host/struts2-blank/example/HelloWorld.action?redirect:x%0ASet-Cookie:x%3D123  
http://host/struts2-blank/example/HelloWorld.action?redirect:x%0DSet-Cookie:x%3D123  
http://host/struts2-blank/example/HelloWorld.action?redirect:x%0D%0A+Set-Cookie:x%3D123  
(These URLs work on specific servers and specific browsers only)  
  
Timeline:  
2013/06/26 Reported to Struts Security ML  
2013/07/17 Vender announced v2.3.15.1  
2013/08/10 Disclosure of this advisory  
  
Recommendation:  
Upgrade to the latest version. As stated in the vender's page,  
redirect: and redirectAction: parameters were completely dropped and  
do not work in the latest version. Thus attention for compatibility  
issues is required for upgrade.  
  
Reference:  
https://struts.apache.org/release/2.3.x/docs/s2-017.html  
https://cwiki.apache.org/confluence/display/WW/ActionMapper  
`