module
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
| Disclosed | Created |
|---|---|
| 2013-07-02 | 2018-05-30 |
Disclosed
2013-07-02
Created
2018-05-30
Description
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation
state changes by prefixing parameters with "action:" or "redirect:", followed by
a desired navigational target expression. This mechanism was intended to help with
attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or
"redirectAction:" is not properly sanitized. Since said information will be
evaluated as OGNL expression against the value stack, this introduces the
possibility to inject server side code.
state changes by prefixing parameters with "action:" or "redirect:", followed by
a desired navigational target expression. This mechanism was intended to help with
attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or
"redirectAction:" is not properly sanitized. Since said information will be
evaluated as OGNL expression against the value stack, this introduces the
possibility to inject server side code.
Authors
Takeshi Terada
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
Platform
Linux,Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.