CVE-2011-3923

CVE-2011-3923 is a remote command execution vulnerability in Apache Struts 2 before version 2.3.1.2. The root cause lies in the ParametersInterceptor's insufficient filtering of OGNL expression syntax. Specifically, the interceptor's regular expression whitelist allowed parentheses in parameter names, which OGNL interprets as expression evaluation: (top['foo'])(0) is treated as evaluating the value of parameter foo as an OGNL expression. This enables an attacker to inject arbitrary OGNL statements into any exposed String action parameter, bypassing previous fixes for S2-003 and S2-005 [3][4].

Exploitation requires no authentication and can be carried out over HTTP by sending a crafted request with a malicious OGNL expression in a parameter value and using parentheses in the parameter name to trigger evaluation. For example, a request like ?foo=&(foo)('meh')= causes the value of foo to be evaluated as an OGNL expression, allowing the attacker to call arbitrary methods and execute system commands [3][4]. The vulnerability affects all Struts 2 versions from 2.0.0 through 2.3.1.1 [3].

A successful attack grants the attacker the ability to execute arbitrary commands on the server with the privileges of the Struts application process. This can lead to full compromise of the web server and potentially the underlying system. The impact is rated as critical, with a CVSS v2 score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [2][3].

Users must upgrade to Apache Struts 2.3.1.2 or later. For systems that cannot be upgraded, the official advisory recommends manually applying configuration changes to further restrict parameter names [3]. This CVE is referenced as a known exploited vulnerability and has been leveraged in attacks against applications such as Shopizer [1][4].