The recent Struts2 vulnerability allowed remote code execution by providing a bogus Content-Type header, as explained here: https://threatprotect.qualys.com/2017/03/08/apache-struts-jakarta-multipart-parser-remote-code-execution-vulnerability/
The page above also links to - what I assume are - the fixing commits. What I have been unable to find so far is where in struts' code base the bogus header was actually evaluated.
The Struts wiki itself states:
Problem
It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.
But simply passing an error message through, even when composed of user input, shouldn't run an exec() command, surely?
Can anyone explain how this vulnerability actually worked, technically - preferably with a link to the buggy line in Struts' repo? Or is there really no exec culprit?
