CVE-2013-2115

Related Files

Apache Struts includeParams Remote Code Execution

Posted Jun 2, 2013

Authored by Douglas Rodrigues, Eric Kobrin | Site metasploit.com

This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions prior to 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which requires interaction through GET the payload should be split having into account the uri limits. In this case, if the rendered jsp has more than one point of injection, it could result in payload corruption. It should happen only when the payload is larger than the uri length.

tags | exploit, remote, arbitrary

advisories | CVE-2013-2115, CVE-2013-1966, OSVDB-93645

SHA-256 | b8de09303f34b2ff81911d9ef267d142269251e15e41b38a2fb9e953d6b6f460

Download | Favorite | View

Apache Struts 2 XSS / Command Execution

Posted May 28, 2013

Authored by Rene Gielen | Site struts.apache.org

Apache Struts has released version 2.3.14.2. This version addresses a security issue. A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.

tags | advisory, remote, xss

advisories | CVE-2013-2115

SHA-256 | 997e378c4b860d1aa2a155b1337c65add2fa61cfb34c8b401dbef4cd54ad9b69

Download | Favorite | View