You are here

U-075: Apache Struts Bug Lets Remote Users Overwrite Files and Execute Arbitrary Code

January 5, 2012 - 8:15am

Addthis

PROBLEM:

Apache Struts Bug Lets Remote Users Overwrite Files and Execute Arbitrary Code

PLATFORM:

Version(s): 2.1.0 - 2.3.1

ABSTRACT:

A remote user can execute arbitrary Java code on the target system.

reference LINKS:

SecurityTracker Alert ID: 1026484
Secunia Advisory SA47393
Bugtraq ID: 51257
Apache Struts 2 Documentation S2-008

IMPACT ASSESSMENT:

High

Discussion:

A vulnerability was reported in Apache Struts. A remote user can execute arbitrary Java code on the target system. A remote user can overwrite arbitrary files on the target system. A remote user can send specially crafted data to execute arbitrary Java code on the target system. The ExceptionDelegator and CookieInterceptor functions are affected. A remote user can exploit a flaw in the ParameterInterceptor function to overwrite arbitrary files on the target system.

Impact:

A remote user can execute arbitrary Java code on the target system.

Solution:

Developers should immediately upgrade to Struts 2.3.1.1.

Addthis