Skip to content

jas502n/st2-046-poc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

#Struts2 Content-Disposition filename null-byte variant of CVE-2017-5638

Struts2 Security Bulletin S2-046

A null byte (\x00) in a request¡¯s Content-Disposition header filename field can trigger a InvalidFileNameException with the same (client controlled) filename string in the exception message that be used can trigger OGNL evaluation during error handling. Note that this is similar to but distinct from both the original Content-Type vector reported in S2-045 and the Content-Length/Content-Disposition variant also mentioned in S2-046.

All the above variants are already fixed by the patches in Struts2 versions 2.3.32 and 2.5.10.1, and projects may alternatively use struts-extras to do mitigation in-place without upgrading, but note that previous Content-Type-focused WAF/LB countermeasures may not protect against these alternative vectors.

sh exploit-cd.sh [url] [command] [[add'l curl args]]

About

st2-046-poc CVE-2017-5638

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages