11 lines
No EOL
614 B
Text
11 lines
No EOL
614 B
Text
source: https://www.securityfocus.com/bid/32101/info
|
|
|
|
XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input.
|
|
|
|
Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer.
|
|
|
|
Versions prior to XWork 2.0.6 are vulnerable. Struts 2.0.0 through 2.0.11.2 contain vulnerable versions of XWorks and are therefore also affected.
|
|
|
|
To set #session.user to '0wn3d':
|
|
|
|
('\u0023' + 'session[\'user\']')(unused)=0wn3d |