ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
| Link | Tags |
|---|---|
| http://securitytracker.com/id?1015856 | vdb entry third party advisory broken link |
| http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html | patch vendor advisory exploit broken link |
| http://www.vupen.com/english/advisories/2006/1205 | vdb entry broken link |
| http://www.securityfocus.com/bid/17342 | vdb entry third party advisory broken link |
| http://secunia.com/advisories/19493 | third party advisory broken link |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/25613 | vdb entry third party advisory |
| http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html | vendor advisory broken link |
| http://secunia.com/advisories/20117 | third party advisory broken link |
| http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 | issue tracking broken link |