Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities.
**DefaultActionMapper** in Struts 2 versions prior to 220.127.116.11 does not properly handle parameters with a crafted
**redirect:** prefix. This could allow remote attackers to execute arbitrary OGNL code.
Upgrade to Struts 18.104.22.168 or higher.
This exploit was tested against Apache Software Foundation Struts 22.214.171.124 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).
This exploit requires that the Struts Action URL be provided.