Apache Struts URL includeParams Attribute OGNL Code Injection

Added: 07/18/2013
CVE: CVE-2013-2115
BID: 60167
OSVDB: 93645

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Problem

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request.

Resolution

Upgrade to Struts 2.3.14.2 or higher.

References

http://struts.apache.org/development/2.x/docs/s2-014.html

Limitations

This exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

This exploit requires that the Struts Action URL be provided.

Platforms

Windows

Back to exploit index