Secunia Logo  
 Vulnerability InformationVulnerability ScanningCommunityBlog - new entry!Corporate InformationOnline ShopCustomer Login  
 Secunia AdvisoriesSecunia ResearchBinary Analysis  
Home > Vulnerability Information > Secunia Advisories > CVE-2008-6504
Secunia Advisories
Advisories
Search
Advisories by Product
Advisories by Vendor
Historic Advisories
Mailing Lists
Report Vulnerability
Contact Form
Business Solutions Restricted
Partner Solutions Restricted
About


Secunia PSI WorldMap 		 
CVE Reference: CVE-2008-6504
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2008-6504

Description:
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

CVE Status:
Candidate

References:

XF
  http://xforce.iss.net/xforce/xfdb/46328

SAID
  Secunia Advisory: SA32495
  Secunia Advisory: SA32497

OSVDB
  49732

CONFIRM
  http://struts.apache.org/2.x/docs/s2-003.html
  http://jira.opensymphony.com/browse/XW-641
  http://issues.apache.org/struts/browse/WW-2692
  http://fisheye6.atlassian.com/cru/CR-9/

BID
  32101


Return to the previous page.


Contact | Terms & Conditions and Copyright | Report Vulnerability | Press | Jobs (open positions) | About Secunia
Copyright Secunia 2002-2009