漏洞类别:Web Application
漏洞等级: 
漏洞信息
The Apache Struts web framework is a free open source solution for creating Java web applications.
Apache Struts is prone to multiple security vulnerabilities CVE-2013-4310 and CVE-2013-4316.
Apache Strut is affected by following issues:
- Action mapping mechanism supports the special parameter prefix "action:" which is intended to help with attaching navigational information to buttons within forms. Under certain conditions this can be used to bypass security constraints.
- Dynamic method invocation usage which is known to impose possible security vulnerabilities.
Affected Software:
Apache Struts versions 2.0.0 through 2.3.15.2 are vulnerable.
漏洞危害
If this vulnerability is successfully exploited, attackers can bypass certain Access control restrictions which may lead to further attacks
解决方案
Upgrade to the latest version of the Apache Struts 2 framework to fix this issue. For more details please refer to vendor advisory: S2-018 and S2-019.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1005691: 1005691 - Identified Apache Struts Action Prefix In HTTP Request
Virtual Patch #1005692: 1005692 - Identified Apache Struts Dynamic Method Invocation In HTTP Request
0day
文章评论