The S2-008 vulnerability affects Apache Struts versions 2.1.0 to 2.3.1. It involves multiple issues, including OGNL expression execution via misconfigured Cookie interceptors, though limited by web container cookie character restrictions. Another aspect is the devMode feature, which exposes debug interfaces allowing direct command execution via parameters like ?debug=command&expression=<OGNL EXP>. While these vectors are often considered impractical in production, they could potentially be exploited if a devMode-enabled application is deliberately deployed as a backdoor.
S2-008 involves multiple vulnerabilities. A misconfigured Cookie interceptor can lead to OGNL expression execution, but since most web containers (such as Tomcat) impose character restrictions on cookie names, certain critical characters cannot be used, making this vector somewhat impractical. Another equally impractical vector is that when a Struts2 application has devMode enabled, multiple debugging interfaces become available that allow direct inspection of object information or execution of arbitrary commands. As kxlzx pointed out, this scenario is almost never encountered in production environments, which makes it largely irrelevant. Still, I don't think it's entirely out of the question — if an attacker had already compromised the server, they could deliberately drop an application with debug mode enabled onto it as a backdoor; that can't be ruled out.
For example, in devMode, appending the parameter ?debug=command&expression=<OGNL EXP> will directly execute the OGNL expression that follows, thus enabling arbitrary command execution (be mindful of escaping):
S2-008: Remote Code Execution Vulnerability
?debug=command&expression=<OGNL EXP>. While these vectors are often considered impractical in production, they could potentially be exploited if a devMode-enabled application is deliberately deployed as a backdoor.Affected versions: 2.1.0 - 2.3.1
Vulnerability details: http://struts.apache.org/docs/s2-008.html
Test environment setup
How it works
Reference: http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html
For example, in devMode, appending the parameter ?debug=command&expression=<OGNL EXP> will directly execute the OGNL expression that follows, thus enabling arbitrary command execution (be mindful of escaping):