Vulnerabilities > CVE-2014-0094 - Unspecified vulnerability in Apache Struts

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
nessus
exploit available
metasploit

Summary

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Exploit-Db

  • idEDB-ID:41690
    last seen2018-11-30
    modified2014-03-06
    published2014-03-06
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/41690
    titleApache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
  • descriptionApache Struts ClassLoader Manipulation Remote Code Execution. CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploits for multiple platform
    idEDB-ID:33142
    last seen2016-02-03
    modified2014-05-02
    published2014-05-02
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/33142/
    titleApache Struts ClassLoader Manipulation Remote Code Execution

Metasploit

descriptionThis module exploits a remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters.
idMSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_CLASSLOADER
last seen2020-06-05
modified2019-01-29
published2014-04-29
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts_code_exec_classloader.rb
titleApache Struts ClassLoader Manipulation Remote Code Execution

Nessus

  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_2_3_17.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : - A flaw exists within
    last seen2020-06-01
    modified2020-06-02
    plugin id83293
    published2015-05-08
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83293
    titleMySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83293);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2014-0050",
        "CVE-2014-0094",
        "CVE-2014-0112",
        "CVE-2014-0113",
        "CVE-2014-0116"
      );
      script_bugtraq_id(
        65400,
        65999,
        67064,
        67081,
        67218
      );
      script_xref(name:"CERT", value:"719225");
      script_xref(name:"EDB-ID", value:"33142");
      script_xref(name:"EDB-ID", value:"31615");
    
      script_name(english:"MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of MySQL Enterprise Monitor.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the MySQL Enterprise Monitor
    running on the remote host is affected by multiple vulnerabilities : 
    
      - A flaw exists within 'MultipartStream.java' in Apache
        Commons FileUpload when parsing malformed Content-Type
        headers. A remote attacker, using a crafted header,
        can exploit this to cause an infinite loop, resulting
        in a denial of service. (CVE-2014-0050)
    
      - Security bypass flaws exist in the ParametersInterceptor
        and CookieInterceptor classes, within the included
        Apache Struts 2 component, which are due to a failure to
        properly restrict access to their getClass() methods. A
        remote attacker, using a crafted request, can exploit
        these flaws to manipulate the ClassLoader, thus allowing
        the execution of arbitrary code or modification of the
        session state. Note that vulnerabilities CVE-2014-0112
        and CVE-2014-0116 occurred because the patches for
        CVE-2014-0094 and CVE-2014-0113, respectively, were not
        complete fixes. (CVE-2014-0094, CVE-2014-0112,
        CVE-2014-0113, CVE-2014-0116)");
      # https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56618dc1");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-021");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-022");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL Enterprise Monitor 2.3.17 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/08");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:enterprise_monitor");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_enterprise_monitor_web_detect.nasl");
      script_require_keys("installed_sw/MySQL Enterprise Monitor");
      script_require_ports("Services/www", 18080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    app  = "MySQL Enterprise Monitor";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    fix  = "2.3.17";
    port = get_http_port(default:18080);
    
    install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);
    version = install['version'];
    install_url = build_url(port:port, qs:"/");
    
    if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  URL               : ' + install_url +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);
    
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_0_11.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : - A flaw exists within
    last seen2020-06-01
    modified2020-06-02
    plugin id83295
    published2015-05-08
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83295
    titleMySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83295);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2014-0050",
        "CVE-2014-0094",
        "CVE-2014-0112",
        "CVE-2014-0113",
        "CVE-2014-0116"
      );
      script_bugtraq_id(
        65400,
        65999,
        67064,
        67081,
        67218
      );
      script_xref(name:"CERT", value:"719225");
      script_xref(name:"EDB-ID", value:"33142");
      script_xref(name:"EDB-ID", value:"31615");
    
      script_name(english:"MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of MySQL Enterprise Monitor.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the MySQL Enterprise Monitor
    running on the remote host is affected by multiple vulnerabilities :
    
      - A flaw exists within 'MultipartStream.java' in Apache
        Commons FileUpload when parsing malformed Content-Type
        headers. A remote attacker, using a crafted header,
        can exploit this to cause an infinite loop, resulting
        in a denial of service. (CVE-2014-0050)
    
      - Security bypass flaws exist in the ParametersInterceptor
        and CookieInterceptor classes, within the included
        Apache Struts 2 component, which are due to a failure to
        properly restrict access to their getClass() methods. A
        remote attacker, using a crafted request, can exploit
        these flaws to manipulate the ClassLoader, thus allowing
        the execution of arbitrary code or modification of the
        session state. Note that vulnerabilities CVE-2014-0112
        and CVE-2014-0116 occurred because the patches for
        CVE-2014-0094 and CVE-2014-0113, respectively, were not
        complete fixes. (CVE-2014-0094, CVE-2014-0112,
        CVE-2014-0113, CVE-2014-0116)");
      # https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56618dc1");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-021");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-022");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL Enterprise Monitor 3.0.11 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/08");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:enterprise_monitor");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_enterprise_monitor_web_detect.nasl");
      script_require_keys("installed_sw/MySQL Enterprise Monitor");
      script_require_ports("Services/www", 18443);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    app  = "MySQL Enterprise Monitor";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    fix  = "3.0.11";
    port = get_http_port(default:18443);
    
    install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);
    version = install['version'];
    install_url = build_url(port:port, qs:"/");
    
    if (version =~ "^3\.0($|[^0-9])" && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  URL               : ' + install_url +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);
    
  • NASL familyMisc.
    NASL idVCENTER_OPERATIONS_MANAGER_VMSA_2014-0007.NASL
    descriptionThe version of vCenter Operations Manager installed on the remote host is prior to 5.8.2. It is, therefore, affected by the following vulnerabilities : - An error exists in the included Apache Tomcat version related to handling
    last seen2020-06-01
    modified2020-06-02
    plugin id76388
    published2014-07-07
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76388
    titleVMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(76388);
      script_version("1.8");
      script_cvs_date("Date: 2018/08/06 14:03:14");
    
      script_cve_id("CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112");
      script_bugtraq_id(65400, 65999, 67064);
      script_xref(name:"VMSA", value:"2014-0007");
      script_xref(name:"IAVB", value:"2014-B-0090");
    
      script_name(english:"VMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007)");
      script_summary(english:"Checks version of vCenter Operations Manager.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has a virtualization appliance installed that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of vCenter Operations Manager installed on the remote host
    is prior to 5.8.2. It is, therefore, affected by the following
    vulnerabilities :
    
      - An error exists in the included Apache Tomcat version
        related to handling 'Content-Type' HTTP headers and
        multipart requests such as file uploads that could
        allow denial of service attacks. (CVE-2014-0050)
    
      - A security bypass error exists due to the included
        Apache Struts2 component, allowing manipulation of the
        ClassLoader via the 'class' parameter, which is directly
        mapped to the getClass() method. A remote,
        unauthenticated attacker can take advantage of this
        issue to manipulate the ClassLoader used by the
        application server, allowing for the bypass of certain
        security restrictions. Note that CVE-2014-0112 exists
        because CVE-2014-0094 was not a complete fix.
        (CVE-2014-0094, CVE-2014-0112)");
      script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2014/000257.html");
      # https://www.vmware.com/support/vcops/doc/vcops-582-vapp-release-notes.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d46f364");
      # https://www.vmware.com/support/vcops/doc/vcops-582-installable-release-notes.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1fe3ac72");
      # http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2081470
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be20e92d");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to vCenter Operations Manager 5.7.3 / 5.8.2 or later.
    
    Alternatively, the vendor has provided a workaround for the security
    bypass error.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/06/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/07");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_operations");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/VMware vCenter Operations Manager/Version");
      script_require_ports("Services/ssh", 22);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit("Host/VMware vCenter Operations Manager/Version");
    fix = NULL;
    
    # 0.x - 4.x / 5.0.x - 5.6.x
    #  - update with alt. version(s) when patch is available
    if (version =~ "^([0-4]|5\.[0-6])($|[^0-9])")
      fix = "5.8.2";
    
    # 5.7.x < 5.7.3
    else if (version =~ "^5\.7\." && ver_compare(ver:version, fix:'5.7.3', strict:FALSE) < 0)
      fix = "5.7.3";
    
    # 5.8.x < 5.8.2
    else if (version =~ "^5\.8\." && ver_compare(ver:version, fix:'5.8.2', strict:FALSE) < 0)
      fix = "5.8.2";
    
    if (!isnull(fix))
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, 'VMware vCenter Operations Manager', version);
    
  • NASL familyCGI abuses
    NASL idSTRUTS_2_3_16_1_CLASSLOADER_MANIPULATION.NASL
    descriptionThe remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due to the application allowing manipulation of the ClassLoader via the
    last seen2020-06-01
    modified2020-06-02
    plugin id73203
    published2014-03-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73203
    titleApache Struts 2 'class' Parameter ClassLoader Manipulation
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73203);
      script_version("1.15");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id("CVE-2014-0094");
      script_bugtraq_id(65999);
      script_xref(name:"CERT", value:"719225");
    
      script_name(english:"Apache Struts 2 'class' Parameter ClassLoader Manipulation");
      script_summary(english:"Attempts to generate a ClassLoader error.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a web application that uses a Java framework that is affected by a security bypass
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation
    Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due
    to the application allowing manipulation of the ClassLoader via the 'class' parameter, which is directly mapped to the
    getClass() method. A remote, unauthenticated attacker can take advantage of this issue to manipulate the ClassLoader
    used by the application server, allowing for the bypass of certain security restrictions.
    
    Note that this plugin will only report the first vulnerable instance of a Struts 2 application.
    
    Note also that the application may also be affected by a denial of service vulnerability; however, Nessus has not
    tested for this additional issue.");
      # https://cwiki.apache.org/confluence/display/WW/S2-020
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2926fce9");
      # https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.2
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e39cc37e");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to version 2.3.16.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0094");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("http_version.nasl", "webmirror.nasl");
      script_require_ports("Services/www", 80, 8080);
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('http.inc');
    include('misc_func.inc');
    
    port = get_http_port(default:8080);
    cgis = get_kb_list('www/' + port + '/cgi');
    
    urls = make_list();
    # To identify actions that we can test the exploit on we will look
    # for files with the .action / .jsp / .do suffix from the KB.
    if (!isnull(cgis))
    {
      foreach cgi (cgis)
      {
        match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi);
        if (!isnull(match))
        {
          urls = make_list(urls, match[0]);
          if (!thorough_tests) break;
        }
        match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi);
        if (!isnull(match2))
        {
          urls = make_list(urls, match2[0]);
          if (!thorough_tests) break;
        }
        match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi);
        if (!isnull(match3))
        {
          urls = make_list(urls, match3[0]);
          if (!thorough_tests) break;
        }
        if (cgi =~ "struts2?(-rest)?-showcase")
        {
          urls = make_list(urls, cgi);
          if (!thorough_tests) break;
        }
      }
    }
    if (thorough_tests)
    {
      cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');
      if (!isnull(cgi2)) urls = make_list(urls, cgi2);
    
      cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');
      if (!isnull(cgi3)) urls = make_list(urls, cgi3);
    
      cgi4 = get_kb_list('www/' + port + '/content/extensions/do');
      if (!isnull(cgi4)) urls = make_list(urls, cgi4);
    }
    
    # Always check web root
    urls = make_list(urls, '/');
    
    # Struts is slow
    timeout = get_read_timeout() * 2;
    if(timeout < 10)
      timeout = 10;
    http_set_read_timeout(timeout);
    
    urls = list_uniq(urls);
    
    script = SCRIPT_NAME - '.nasl' + '-' + unixtime();
    
    pat = '(Invalid field value for field|No result defined for action)';
    
    foreach url (urls)
    {
      res = http_send_recv3(
        method : 'GET',
        port   : port,
        item   : url,
        exit_on_fail : TRUE
      );
      chk1 = egrep(pattern:pat, string:res[2], icase:TRUE);
    
      vuln_url = url + '?class.classLoader.URLs[0]=' + script;
    
      res = http_send_recv3(
        method : 'GET',
        port   : port,
        item   : vuln_url,
        fetch404 : TRUE,
        exit_on_fail : TRUE
      );
    
      pat_match = pregmatch(pattern:pat, string:res[2], icase:TRUE);
      if (
        !isnull(pat_match) &&
        (res[0] =~ "200 OK|404 Not Found") &&
        (!chk1) &&
        (!empty_or_null(pat_match[1]))
      )
      {
        vuln = TRUE;
        output = strstr(res[2], pat_match[1]);
        if (empty_or_null(output)) output = res[2];
        # Stop after first vulnerable Struts app is found
        break;
      }
    }
    
    if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');
    
    security_report_v4(
      port       : port,
      severity   : SECURITY_WARNING,
      generic    : TRUE,
      request    : make_list(build_url(qs:vuln_url, port:port)),
      output     : chomp(output)
    );
    
  • NASL familyWindows
    NASL idSTRUTS_2_3_16_1_WIN_LOCAL.NASL
    descriptionThis plugin has been deprecated and replaced by struts_2_3_16_1.nasl (plugin ID 117393).
    last seen2019-02-21
    modified2018-09-12
    plugin id81105
    published2015-01-30
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=81105
    titleApache Struts 2.0.0 < 2.3.16.1 Multiple Vulnerabilities (credentialed check) (Deprecated)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 9/12/2018. Use struts_2_3_16_1.nasl instead
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81105);
      script_version("1.7");
      script_cvs_date("Date: 2018/09/12  7:22:56");
    
      script_cve_id("CVE-2014-0050", "CVE-2014-0094");
      script_bugtraq_id(65400, 65999);
      script_xref(name:"CERT", value:"719225");
    
      script_name(english:"Apache Struts 2.0.0 < 2.3.16.1 Multiple Vulnerabilities (credentialed check) (Deprecated)");
      script_summary(english:"Checks the Struts 2 version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "This plugin has been deprecated.");
      script_set_attribute(attribute:"description", value:
    "This plugin has been deprecated and replaced by 
    struts_2_3_16_1.nasl (plugin ID 117393).");
      script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/version-notes-23161.html");
      script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-020.html");
      script_set_attribute(attribute:"solution", value:"N/A.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/30");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("struts_detect_win.nbin");
      script_require_keys("installed_sw/Apache Struts", "Settings/ParanoidReport");
    
      exit(0);
    }
    exit(0, "This plugin has been deprecated. Use struts_2_3_16_1.nasl (plugin ID 117393) instead.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app = "Apache Struts";
    
    install = get_single_install(app_name : app);
    version = install['version'];
    path  = install['path'];
    appname = install['Application Name'];
    
    fix = "2.3.16.1";
    report = NULL;
    
    if (version == UNKNOWN_VER)
      audit(AUDIT_UNKNOWN_APP_VER, ("the " + app + " application, " + appname + ", found at " + path + ","));
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (
      version =~ "^2\." &&
      ver_compare(ver:version, fix:fix, strict:FALSE) == -1
    )
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      report +=
        '\n  Application       : ' + appname +
        '\n  Physical path     : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
    }
    
    if (!isnull(report))
    {
      port = get_kb_item("SMB/transport");
      if (isnull(port)) port = 445;
    
      if (report_verbosity > 0) security_warning(port:port, extra:report);
      else security_warning(port);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, (app + " 2 application, " + appname + ","), version, path);
    
  • NASL familyMisc.
    NASL idSTRUTS_2_3_16_1.NASL
    descriptionThe version of Apache Struts running on the remote host is 2.x prior to 2.3.16.2. It, therefore, is affected by multiple vulnerabilities: - A denial of service vulnerability exists in MultipartStrea.java in Apache Commons FileUpload due to failure to handle exceptional conditions. A remote, unauthenticated attacker can exploit this issue to cause the application to enter an infinite loop which may cause a denial of service condition. (CVE-2014-0050) - A class loader manipulation flaw exists in ParameterInterceptor due to improper validation of input data. An attacker can exploit this issue to bypass certain security restriction and manipulate the ClassLoader. (CVE-2015-0094) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id117393
    published2018-09-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117393
    titleApache Struts 2.x < 2.3.16.2 Multiple Vulnerabilities (S2-020)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117393);
      script_version("1.11");
      script_cvs_date("Date: 2019/11/05");
    
      script_cve_id("CVE-2014-0050", "CVE-2014-0094");
      script_bugtraq_id(65400, 65999);
    
      script_name(english:"Apache Struts 2.x < 2.3.16.2 Multiple Vulnerabilities (S2-020)");
      script_summary(english:"Checks the Struts 2 version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host uses a Java framework that is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apache Struts running on the remote host is 2.x prior to 2.3.16.2. It, therefore, is affected by
    multiple vulnerabilities:
    
      - A denial of service vulnerability exists in MultipartStrea.java in Apache Commons FileUpload due to failure to 
        handle exceptional conditions. A remote, unauthenticated attacker can exploit this issue to cause the application
        to enter an infinite loop which may cause a denial of service condition. (CVE-2014-0050)
    
      - A class loader manipulation flaw exists in ParameterInterceptor due to improper validation of input data. An
        attacker can exploit this issue to bypass certain security restriction and manipulate the ClassLoader. 
        (CVE-2015-0094)
    
    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
    number.");
      # https://cwiki.apache.org/confluence/display/WW/S2-020
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2926fce9");
      # https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.2
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e39cc37e");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Struts version 2.3.16.2 or later");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0050");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"agent", value:"all");
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/10");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    app_info = vcf::combined_get_app_info(app:'Apache Struts');
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { 'min_version' : '2.0.0', 'fixed_version' : '2.3.16.2' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyMisc.
    NASL idIBM_STORWIZE_1_5_0_2.NASL
    descriptionThe remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists due to a flaw in the bundled version of Apache HTTP Server. A remote attacker can exploit this, via partial HTTP requests, to cause a daemon outage, resulting in a denial of service condition. (CVE-2007-6750) - An HTTP request smuggling vulnerability exists due to a flaw in the bundled version of Apache Tomcat; when an HTTP connector or AJP connector is used, Tomcat fails to properly handle certain inconsistent HTTP request headers. A remote attacker can exploit this flaw, via multiple Content-Length headers or a Content-Length header and a
    last seen2020-06-01
    modified2020-06-02
    plugin id84401
    published2015-06-26
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84401
    titleIBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84401);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2007-6750",
        "CVE-2013-4286",
        "CVE-2013-4322",
        "CVE-2014-0075",
        "CVE-2014-0094",
        "CVE-2014-0096",
        "CVE-2014-0099",
        "CVE-2014-0119",
        "CVE-2014-0178",
        "CVE-2014-1555",
        "CVE-2014-1556",
        "CVE-2014-1557",
        "CVE-2014-3077",
        "CVE-2014-3493",
        "CVE-2014-4811"
      );
      script_bugtraq_id(
        21865,
        65767,
        65773,
        65999,
        67667,
        67668,
        67669,
        67671,
        67686,
        68150,
        68814,
        68822,
        68824,
        69771,
        69773
      );
      script_xref(name:"CERT", value:"719225");
    
      script_name(english:"IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities");
      script_summary(english:"Checks for vulnerable Storwize versions.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote IBM Storwize device is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote IBM Storwize device is running a version that is 1.3.x
    prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected
    by multiple vulnerabilities :
    
      - A denial of service vulnerability exists due to a flaw
        in the bundled version of Apache HTTP Server. A remote
        attacker can exploit this, via partial HTTP requests,
        to cause a daemon outage, resulting in a denial of
        service condition. (CVE-2007-6750)
    
      - An HTTP request smuggling vulnerability exists due to a
        flaw in the bundled version of Apache Tomcat; when an
        HTTP connector or AJP connector is used, Tomcat fails to
        properly handle certain inconsistent HTTP request
        headers. A remote attacker can exploit this flaw, via
        multiple Content-Length headers or a Content-Length
        header and a 'Transfer-Encoding: chunked' header, to
        smuggle an HTTP request in one or more Content-Length
        headers. (CVE-2013-4286)
    
      - A denial of service vulnerability exists in the bundled
        version of Apache Tomcat due to improper processing of
        chunked transfer coding with a large amount of chunked
        data or whitespace characters in an HTTP header value
        within a trailer field. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition. (CVE-2013-4322)
    
      - A denial of service vulnerability exists due to a flaw
        in the bundled version of Apache Tomcat; an integer
        overflow condition exists in the parseChunkHeader()
        function in ChunkedInputFilter.java. A remote attacker
        can exploit this, via a malformed chunk size that is
        part of a chunked request, to cause excessive
        consumption of resources, resulting in a denial of
        service condition. (CVE-2014-0075)
    
      - A remote code execution vulnerability exists due to a
        flaw in the bundled version of Apache Struts. A remote
        attacker can manipulate the ClassLoader via the class
        parameter, resulting in the execution of arbitrary Java
        code. (CVE-2014-0094)
    
      - An XML External Entity (XXE) injection vulnerability
        exists due to a flaw in the bundled version of Apache
        Tomcat; an incorrectly configured XML parser accepts
        XML external entities from an untrusted source via XSLT.
        A remote attacker can exploit this, by sending specially
        crafted XML data, to gain access to arbitrary files.
        (CVE-2014-0096)
    
      - An integer overflow condition exists in the bundled
        version of Apache Tomcat. A remote attacker, via a
        crafted Content-Length HTTP header, can conduct HTTP
        request smuggling attacks. (CVE-2014-0099)
    
      - An information disclosure vulnerability exists due to a
        flaw in the bundled version of Apache Tomcat. Tomcat
        fails to properly constrain the class loader that
        accesses the XML parser used with an XSLT stylesheet. A
        remote attacker can exploit this, via a crafted web
        application that provides an XML external entity
        declaration in conjunction with an entity reference, to
        read arbitrary files. (CVE-2014-0119)
    
      - A flaw exists in a bundled version of Samba due to a
        flaw in the vfswrap_fsctl() function that is triggered
        when responding to FSCTL_GET_SHADOW_COPY_DATA or
        FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An
        unauthenticated, remote attacker can exploit this, via
        a specially crafted request, to disclose sensitive
        information from process memory. (CVE-2014-0178)
    
      - Multiple flaws exist in the bundled version of Mozilla
        Firefox that allow a remote attacker to execute
        arbitrary code. (CVE-2014-1555, CVE-2014-1556,
        CVE-2014-1557)
    
      - An information disclosure vulnerability exists due to
        the chkauth password being saved in plaintext in the
        audit log. A local attacker can exploit this to gain
        administrator access. (CVE-2014-3077)
    
      - A denial of service vulnerability exists due to a flaw
        in the bundled version of Samba. An authenticated,
        remote attacker can exploit this, via an attempt to read
        a Unicode pathname without specifying the use of
        Unicode, to cause an application crash. (CVE-2014-3493)
      
      - A security bypass vulnerability exists due to an
        unspecified flaw. A remote attacker can exploit this
        flaw to reset the administrator password to its default
        value via a direct request to the administrative IP
        address. Note that this vulnerability only affects the
        1.4.x release levels. (CVE-2014-4811)");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004834");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004836");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004837");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004854");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004860");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004861");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004867");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004869");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004835");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to IBM Storwize version 1.4.3.4 / 1.5.0.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1557");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/26");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_unified_v7000");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v7000");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v5000");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v3700");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v3500");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:san_volume_controller");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v7000_unified_software");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v7000_software");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v5000_software");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v3700_software");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v3500_software");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:san_volume_controller_software");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ibm_storwize_detect.nbin");
      script_require_keys("Host/IBM/Storwize/version", "Host/IBM/Storwize/machine_major", "Host/IBM/Storwize/display_name");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit("Host/IBM/Storwize/version");
    machine_major = get_kb_item_or_exit("Host/IBM/Storwize/machine_major");
    display_name = get_kb_item_or_exit("Host/IBM/Storwize/display_name");
    
    if (
      machine_major != "2073" && # V7000 Unified
      machine_major != "2071" && # V3500
      machine_major != "2072" && # V3700
      machine_major != "2076" && # V7000
      machine_major != "2077" && # V5000
      machine_major != "2145" && # SAN Volume Controller
      machine_major != "4939"    # Flex System V7000 Storage Node
    ) audit(AUDIT_DEVICE_NOT_VULN, display_name);
    
    if (version == UNKNOWN_VER || version == "Unknown")
      audit(AUDIT_UNKNOWN_APP_VER, display_name);
    
    if (machine_major == "2073")
    {
      if (version =~ "^1\.[3-4]\.") fix = "1.4.3.4";
      else if (version =~ "^1\.5\.") fix = "1.5.0.2";
      else audit(AUDIT_DEVICE_NOT_VULN, display_name, version);
    }
    else
    {
      if (version =~ "^((6\.[1234])|(7\.[12]))\.") fix = "7.2.0.8";
      else if (version =~ "^7\.3\.") fix = "7.3.0.5";
      else audit(AUDIT_DEVICE_NOT_VULN, display_name, version);
    }
    
    if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
      audit(AUDIT_DEVICE_NOT_VULN, display_name, version);
    
    if (report_verbosity > 0)
    {
      report =
        '\n  Name              : ' + display_name +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_hole(port:0, extra:report);
    }
    else security_hole(port:0);
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/126445/struts_code_exec_classloader.rb.txt
idPACKETSTORM:126445
last seen2016-12-05
published2014-05-02
reporterMark Thomas
sourcehttps://packetstormsecurity.com/files/126445/Apache-Struts-ClassLoader-Manipulation-Remote-Code-Execution.html
titleApache Struts ClassLoader Manipulation Remote Code Execution

Seebug

bulletinFamilyexploit
descriptionCVE ID:CVE-2014-0094 Struts2 是第二代基于Model-View-Controller (MVC)模型的java企业级web应用框架。 该应用程序允许访问直接映射到“getClass()”方法的“class”参数 ,这可以被利用来操纵所使用的应用程序服务器的ClassLoader。 0 Apache Struts 2.x 厂商补丁: Apache ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://struts.apache.org/release/2.3.x/docs/s2-020.html
idSSV:61709
last seen2017-11-19
modified2014-03-10
published2014-03-10
reporterRoot
titleApache Struts ClassLoader操作漏洞

References