CVE-2015-0899 - MultiPageValidator Bypass in Apache Struts 1.x

CVE-2015-0899 - MultiPageValidator Bypass in Apache Struts 1.x

Apache Struts 1 Validator’s Multi-Page Validator (MPV) feature contains a flaw that may allow input validation rules to be bypassed. For more information, see CVE-2015-0899.

NES upgrade information for MultiPage Validation

acceptPage attribute has been added to the action element for struts configuration to mitigate this vulnerability. The acceptPage attribute specifies the page number that the action is allowed to accept. If two or more page values are accepted, then acceptPage should be set to the minimum of those values.

Why this vulnerability exists: The vulnerability occurs because the MultiPageValidator in Struts 1.x does not strictly enforce which page's input is accepted by an action. Without explicit restriction, an attacker can submit input for a later page without completing validation for previous pages, bypassing required validation steps.

When applications are vulnerable: Applications are vulnerable if they use multi-page forms with the Struts 1 Validator and do not restrict which page values are accepted by each action. This is especially critical in workflows where each page's input must be validated in sequence.

What happens if acceptPage is not configured: If the acceptPage attribute is not set, multi-page validation is disabled and all validation fields are enabled.

For example

validation.xml

    <form name="multiRegistrationForm">
      <field property="firstName" depends="required,mask" page="1">
        <arg key="registrationForm.firstname.displayname" />
        <var>
          <var-name>mask</var-name>
          <var-value>^\w+$</var-value>
        </var>
      </field>
      <field property="cityStateZip.stateProv" depends="required,mask" page="2">
        <arg key="registrationForm.stateprov.displayname" />
        <var>
          <var-name>mask</var-name>
          <var-value>^[a-zA-Z]*$</var-value>
        </var>
      </field>
    </form>

struts-config.xml with acceptPage attribute

    <action path="/multiRegistration-submit"
            type="org.apache.struts.webapp.validator.MultiRegistrationAction"
            name="multiRegistrationForm"
            scope="request"
            validate="false"
            acceptPage="1">
      <set-property property="cancellable" value="true"/>
      <forward name="success" path="/welcome.do" />
      <forward name="input1" path="/multiRegistration1.jsp" />
      <forward name="input2" path="/multiRegistration2.jsp" />
    </action>