When we looked at the Convention plugin, we discovered that it provides a variety of overrides for action names, interceptors, namespace, and XWork. It establishes a variety of conventions, such as package naming, URL naming, default action, result handling, and namespaces. It also contains features for search engine optimization (SEO).
We took a manual approach, looking at the source code differences between versions, to identify the affected code in the Convention plugin. There we found the 2.3 source changes and 2.5 source changes for the fix, where the code is tightened around path handling when the findResult method is called. This kind of analysis, of course, would be much slower on closed source products. Open source allows us to identify vulnerabilities, analyze them, and find solutions or workarounds faster.
We also confirmed that the Convention plugin has been bundled with Struts since the 2.1 release, replacing the Codebehind plugin and Zero Config plugin. The Convention plugin typically requires no configuration and is enabled by default. Many of its conventions are controlled using configuration properties in struts.xml.
Following the method calls, we discovered in the sources revealed that a specially crafted request would allow the reading of arbitrary pages. We further deduced this would be a page configured under struts.convention.result.path, leading to path traversal and disclosure of sensitive content. This normally defaults to the WEB-INF path. However, none of the functionality used in the default included .war files for Struts supports this functionality out of the box. So we set out to customize Showcase to showcase this functionality. We created a class called GoAction and compiled it against a single Struts version.