CVE-2013-4212
published 2013-12-07CVE-2013-4212: Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the…
PriorityP268medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
81.07%
99.6th percentile
Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol, which uses a subclass of UIAction, aka "OGNL Injection."
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | roller | <= 5.0.1 | — |
| apache | roller | — | — |
| apache | roller | — | — |
| apache | roller | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /roller-ui/login.rol containing OGNL expression syntax in the 'pageTitle' parameter, specifically patterns matching '%24{' or '${' with '#_memberAccess' or 'java.lang' constructs. ↗
- →Detect the OGNL allowStaticMethodAccess bypass string in HTTP query parameters, which is a hallmark of this exploit's payload. ↗
- →Flag GET requests to /roller-ui/login.rol with a 'pageTitle' query parameter containing URL-encoded OGNL expressions (e.g., '%24{', '%23_memberAccess', 'java.io.FileOutputStream'). ↗
- →The vulnerability resides in the UIAction controller's getText method; alert on any sub-URL pattern matching '!getPageTitle' on the login endpoint. ↗
- →A successful check/probe response returns HTTP 200 with the arithmetic sum of two addends in the body — monitor for arithmetic-result canary values in responses to login.rol requests as a sign of active exploitation probing. ↗
- ·The default exploit target URI is '/roller', meaning the full attack path is /roller/roller-ui/login.rol. Detection rules should account for non-default deployment paths. ↗
- ·The exploit uses URL encoding ('%24' for '$', '%3d' for '=') to bypass naive string-matching filters; detection must decode query parameters before matching OGNL patterns. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apache Roller - OGNL Injection (Metasploit)
exploitdb·2013-11-27
CVE-2013-4212 Apache Roller - OGNL Injection (Metasploit)
Apache Roller - OGNL Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Apache Roller OGNL Injection',
'Description' => %q{
This module exploits an OGNL injection vulnerability in Apache Roller
[
'Unknown', # From coverity.com / Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-4212'],
[ 'URL', 'http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.html']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => true,
'Targets' =>
[
[ 'Apache Roller 5.0.1', { } ]
],
'DisclosureDate' => 'Oct 31 2013',
'DefaultTarget
Metasploit
Apache Roller OGNL Injection
metasploit
Apache Roller OGNL Injection
Apache Roller OGNL Injection
This module exploits an OGNL injection vulnerability in Apache Roller < 5.0.2. The vulnerability is due to an OGNL injection on the UIAction controller because of an insecure usage of the ActionSupport.getText method. This module has been tested successfully on Apache Roller 5.0.1 on Ubuntu 10.04.
No writeups or analysis indexed.
http://rollerweblogger.org/project/entry/apache_roller_5_0_2http://secunia.com/advisories/55862http://secunia.com/advisories/55877http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.htmlhttp://www.exploit-db.com/exploits/29859http://www.osvdb.org/100342https://exchange.xforce.ibmcloud.com/vulnerabilities/89239http://rollerweblogger.org/project/entry/apache_roller_5_0_2http://secunia.com/advisories/55862http://secunia.com/advisories/55877http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.htmlhttp://www.exploit-db.com/exploits/29859http://www.osvdb.org/100342https://exchange.xforce.ibmcloud.com/vulnerabilities/89239
2013-12-07
Published