Semmle employee Man Yue Mo disclosed details about the vulnerability CVE-2018-11776 of the framework for creating web applications called Apache Struts. The problem was discovered in April 2018. It allowed to remotely run malicious code and grab control over the web server.
The problem was the configuration of the framework, which allowed errors to appear in two cases:
- if the
alwaysSelectFullNamespaceparameter was set to true;
- if the
urltags did not contain a namespace attribute, or if wildcard characters were used instead.
The attack began with a transition through a pre-configured link to a vulnerable web server. Further attackers were able to launch malicious code to capture control over the application.
Vulnerability was present in all web applications based on Apache Struts 2.3 versions prior to Struts 2.5.16. With the correct configuration file, the application could be invulnerable, but the risk of hacking increased even with the slightest change. The developers fixed the bug in versions of Apache Struts 2.3.35 and 2.5.17.