Apache Struts 2 DefaultActionMapper Prefixes OGNL remote code execution exploit.
8fc62c46ad7c22f69ed91bac27cf5de646a12ab72512eb056f4af8ee4edfc6ba
Apache Archiva versions 1.3 through Continuum 1.3.6 and versions 1.2 through 1.2.2 are vulnerable to remote command execution.
6016752b96e92a44c9cf1eebaa5b10137807afe16bffa1cffa6f222ce1c77103
Struts2 suffers from an OGNL injection vulnerability that allows for redirection. Versions 2.0.0 through 2.3.15 are affected.
8dd8aee0be9f1818cac60e7eaadec5a677b61944590e6c481865994fb69abbf0
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. This Metasploit module has been tested successfully on Struts 2.3.15 over Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.
c240d5878f508b714bf5ceed219b636cd035393594292bf01d990b95dae4b372