Struts2 Content-Disposition filename null-byte variant of CVE-2017-5638
A null byte (
\x00) in a request’s
Content-Disposition header filename field can trigger a
InvalidFileNameException with the same (client controlled) filename string in the exception message that be used can trigger OGNL evaluation during error handling. Note that this is similar to but distinct from both the original
Content-Type vector reported in S2-045 and the
Content-Disposition variant also mentioned in S2-046.
All the above variants are already fixed by the patches in Struts2 versions 2.3.32 and 126.96.36.199, and projects may alternatively use struts-extras to do mitigation in-place without upgrading, but note that previous
Content-Type-focused WAF/LB countermeasures may not protect against these alternative vectors.
sh exploit-cd.sh [url] [command] [[add'l curl args]]