Apache REST / Struts easily exploitable through browser

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites.

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.

The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.

All versions of Struts since 2008 are affected, said the researchers.

Mo said that all a hacker needs “is a web browser.”

“I can’t stress enough how incredibly easy this is to exploit,” said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.

“If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.

Source: ZDNet

Get patching!

Leave a Reply