Rapid7 Vulnerability & Exploit Database

RHSA-2006:0281: struts security update for Red Hat Application Server

Back to Search

RHSA-2006:0281: struts security update for Red Hat Application Server

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
03/30/2006
Created
07/25/2018
Added
11/26/2007
Modified
07/04/2017

Description

An updated Struts package that fixes several security issues is now available for Red Hat Application Server. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Struts is a framework for building web applications with Java. A validation bug was found in the way Struts handles org.apache.struts.taglib.html.Constants.CANCEL requests. If it is possible for a remote attacker to inject a CANCEL request during a validation operation, it may be possible for the attacker to acquire credentials without the proper authentication information. (CVE-2006-1546) A denial of service bug was found in the way Struts handles multipart/form-data encoded form data. If it is possible for a remote attacker to reference the public getMultipartRequestHandler method, the attacker can prevent the Struts application from functioning properly. (CVE-2006-1547) A cross site scripting bug was found in the way Struts displays certain error messages via its LookupDispatchAction, DispatchAction, and ActionDispatcher handler. It may be possible for an attacker to construct a specially crafted URL that could fool a victim into believing they are viewing a trusted site. (CVE-2006-1548) All users of Struts should upgrade to this updated package containing Struts version 1.2.9, which is not vulnerable to these issues.

Solution(s)

  • redhat-upgrade-struts
  • redhat-upgrade-struts-javadoc
  • redhat-upgrade-struts-manual
  • redhat-upgrade-struts-webapps-tomcat5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;