On Wednesday 3 October 2018 the Apache Software Foundation has released information about an Open Redirect vulnerability in Apache Struts 2. The vulnerability received identifier CVE-2018-11784.
This page explains how you can test if your web application is vulnerable to this issue.
The vulnerability announcements describes the vulnerability as follows:
When the default servlet returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
By simply looking at the code change that was introduced to fix this issue (see reference 2), we can see that leading slashes are being removed.
This is exactly the way in which you can test if your application is vulnerable.
Proof of concept:
- Identify a subfolder of you application, for example http://application/foo/
- Change the URL so that there are at least 2 leading slashes before the subfolder, and that there is no trailing slash. The test URL then becomes http://application//foo
- If you browse to the URL created in step two, and your application redirects you to http://foo/ then your application is vulnerable to this issue.
- Announcement: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34
- Code change to fix CVE-2018-11784: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catali...
- CVE vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2018-11784