CVE-2011-3923

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.1.2

Description The issue allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. This is due to a regular expression in ParametersInterceptor that incorrectly matches certain expressions, such as top['foo'](0), as valid. The OGNL library treats this as (top['foo'])(0) and evaluates the value of the 'foo' action parameter as an OGNL expression. This enables malicious users to put arbitrary OGNL statements into any String variable exposed by an action, having it evaluated as an OGNL expression. Since the OGNL statement is in the HTTP parameter value, attackers can use blacklisted characters to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.

Recommendations For Apache Struts versions prior to 2.3.1.2, update to version 2.3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ParametersInterceptor class and limiting the evaluation of OGNL expressions in action parameters until a patch is applied. Avoid using blacklisted characters in HTTP parameter values to minimize the risk of exploitation.