漏洞类别:Web Application
漏洞等级: 
漏洞信息
The Apache Struts web framework is a free open source solution for creating Java web applications.
Apache Struts is prone to multiple remote code execution vulnerabilities CVE-2013-2251 and CVE-2013-2248, because it fails to adequately handle user-supplied input.
Apache Structs is affected by the following issues:
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
The unsanitized OGNL expressions are root cause of these vulnerabilities. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized.
漏洞危害
This vulnerability could allow for open redirects or execution of arbitrary commands on the server, potentially resulting in complete system compromise.
解决方案
Upgrade to the latest version of the Apache Struts 2 framework to fix these issues. For more details please refer to the S2-016 and S2-017.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1005604: 1005604 - Apache Struts Multiple Remote Command Execution Vulnerability
0day
文章评论