logo
DATABASE RESOURCES PRICING ABOUT US

Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution

Description

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to an error in the way that the ExceptionDelegator component handles mismatched data types, an unauthenticated, remote attacker can execute arbitrary commands on the remote host by sending a specially crafted request order. This flaw is due to the ExceptionDelegator interpreting parameter values as OGNL expressions when there is a conversion error. Note that this plugin will only report the first vulnerable instance of a Struts 2 application.


Related