ListSERV Maestro <= 9.0-8 RCE Vulnerability CVE-2010-1870 Scanner

Details
Stay Up To Date
Asset Type

DOMAIN,IP,URL

Need Membership

Yes

Asset Verify

Yes

API Support

Yes

Estimate Time (Second)

10

ListSERV Maestro <= 9.0-8 RCE Vulnerability CVE-2010-1870 Scanner Detail

In ListSERV Maestro <= 9.0-8, there is a Remote Code Injection vulnerability.

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Some Advice for Common Problems

  • You need to apply related fixes.
  • Sanitize all parameters received as input from the user.

Need a Full Assessment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service