Summary
This host is running Struts and is prone to remote command execution vulnerability.
Impact
Successful exploitation will allow attackers to manipulate server-side context objects with the privileges of the user running the application.
Impact Level: Application.
Solution
Upgrade to Struts version 2.2 or later
For updates refer to http://struts.apache.org/download.cgi
Insight
The flaw is due to an error in 'OGNL' extensive expression evaluation capability in XWork in Struts, uses as permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the '#' protection mechanism in ParameterInterceptors via various varibles.
Affected
Struts version 2.0.0 through 2.1.8.1
References
Severity
Classification
-
CVE CVE-2010-1870 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache Struts2 'XWork' Information Disclosure Vulnerability
- Apache CouchDB Cross Site Request Forgery Vulnerability
- Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
- Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities