cbcvebase.
CVE-2013-4212
published 2013-12-07

CVE-2013-4212: Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the…

PriorityP268medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
81.07%
99.6th percentile
Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol, which uses a subclass of UIAction, aka "OGNL Injection."

Affected

4 ranges
VendorProductVersion rangeFixed in
apacheroller<= 5.0.1
apacheroller
apacheroller
apacheroller

Detection & IOCsextracted from sources · hover to see the quote

path/roller-ui/login.rol
command${(#_memberAccess["allowStaticMethodAccess"]=true,CMD,'')}
command${new java.lang.Integer(#{addend_one}+#{addend_two})}
  • Monitor HTTP GET requests to /roller-ui/login.rol containing OGNL expression syntax in the 'pageTitle' parameter, specifically patterns matching '%24{' or '${' with '#_memberAccess' or 'java.lang' constructs.
  • Detect the OGNL allowStaticMethodAccess bypass string in HTTP query parameters, which is a hallmark of this exploit's payload.
  • Flag GET requests to /roller-ui/login.rol with a 'pageTitle' query parameter containing URL-encoded OGNL expressions (e.g., '%24{', '%23_memberAccess', 'java.io.FileOutputStream').
  • The vulnerability resides in the UIAction controller's getText method; alert on any sub-URL pattern matching '!getPageTitle' on the login endpoint.
  • A successful check/probe response returns HTTP 200 with the arithmetic sum of two addends in the body — monitor for arithmetic-result canary values in responses to login.rol requests as a sign of active exploitation probing.
  • ·The default exploit target URI is '/roller', meaning the full attack path is /roller/roller-ui/login.rol. Detection rules should account for non-default deployment paths.
  • ·The exploit uses URL encoding ('%24' for '$', '%3d' for '=') to bypass naive string-matching filters; detection must decode query parameters before matching OGNL patterns.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.