'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

vul_frame:struts_security_bypass_paraminterceptor(Rule ID:1070110007)

Release Date2025/9/15

Rule NameCVE-2014-0094: Apache Struts ParameterInterceptor ClassLoader Manipulation Security Bypass(and CVE-2014-0112)

Severity:mid

CVE IDCVE-2014-0094 CVE-2014-0112

 

Descripiton

Apache Struts 2 is an open-source Web application framework for developing Java EE Web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. The ParameterInterceptor in Apache Struts 2 before 2.3.16 allows remote attackers to manipupate the ClassLoader via the class parameter, which is passed to the getClass method. Attackers can exploit this issue to bypass certain security and perform unauthorized actions, which may also lead to further attacks. This rule supports to defend the A6: Vulnerable and Outdated Components of OWASP Top 10 - 2021.
Other reference:None

 

Solution

Update vendor patches.