Summary
This host is running Apache Struts2 and is prone to arbitrary java method execution vulnerabilities.
Impact
Successful exploitation will allow remote attackers to execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language) expressions.
Solution
Upgrade to Apache Struts 2 version 2.3.14.2 or later, For updates refer to http://struts.apache.org
Insight
Flaw is due to improper handling of the includeParams attribute in the URL and Anchor tags
Affected
Apache Struts 2 before 2.3.14.2
Detection
Send a crafted data like system functions via HTTP POST request and check whether it is executing the java function or not.
References
- http://metasploit.org/modules/exploit/multi/http/struts_include_params
- http://secunia.com/advisories/53553
- http://struts.apache.org/development/2.x/docs/s2-014.html
- http://www.exploit-db.com/exploits/25980
- http://www.osvdb.com/93645
- https://cwiki.apache.org/confluence/display/WW/S2-013
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-1966, CVE-2013-2115 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities