The group behind Apache have pushed out a new version of Struts, fixing two issues in the framework that were giving developers difficulties over the past several weeks.
The Apache Software Foundation posted version 184.108.40.206 of the framework online Tuesday. The release fixes an access control vulnerability and fixes a problem with the parameter “action: prefix” that existed in a previous build.
The broken access control vulnerability was thought to be fixed in 220.127.116.11 but contained a bug in the mapping mechanism that could be used to bypass security constraints. The vulnerability was discovered by two researchers at Huawei’s Product Security Incident Response Team but has been fixed in 18.104.22.168. Two constants were added that now prevent those bypasses.
The problem with “action: prefix” is actually an old problem too. It popped up last month after it was reported on WooYun, a third party Chinese platform for reporting security bugs. It was discovered that on 22.214.171.124 manipulating parameters prefixed with “action:”/”redirect:/”redirectAction:” could lead to remote command execution.
Since the broken access control vulnerability has been given an important security rating, anyone who uses the framework is being encouraged to download the updates. 126.96.36.199 is available in either the full distribution, or in one of three separate distributions: the library, source, example and documentation portions.
Struts is an open source framework used by developers to create Java-based web apps.