The 2010 Pwnie Winner For Best Server-Side Bug

Apache Struts2 framework remote code execution (CVE-2010-1870)

Credit: Meder Kydyraliev

Do you use the Struts2 framework in your enterprise web application? Meder Kydyraliev discovered that an single HTTP request with just five special parameters is enough to execute arbitrary Java code on the webserver. Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from [email protected]

(CVE-2010-1870)