Apache Struts ParameterInterceptor Class OGNL Expression Parsing Remote Command Execution
Synopsis :
A remote web application uses a framework that has a code execution
vulnerability.
Description :
The remote web application appears to use Struts 2, a web framework
that uses XWork. Due to a flaw in the ParameterInterceptor class,
user input is not properly sanitized, which could allow a remote
attacker to run arbitrary Java code on the remote host by sending a
specially crafted HTTP request.
See also :
only registered users with at least 25 hack challenge points can see links: click here in order to visit the hack challengeshttp://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html
only registered users with at least 25 hack challenge points can see links: click here in order to visit the hack challengeshttps://cwiki.apache.org/confluence/display/WW/S2-009
Solution :
Upgrade to Struts 2.3.1.2 or later.
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
original thread: only registered users with at least 25 hack challenge points can see links: click here in order to visit the hack challengeshttp://www.nessus.org/plugins/index.php?view=single&id=57850
