This is a serious exploit on Apache Struts 2, a popular Java Web framework known as SSH (Spring, Struts, Hibernate). If you visit many websites, and see URLs ending with .action , it's probably written in Struts 2
S2-016 / CVE-2013-2251, effecting Struts 2.3.15 or lower
The exploit was deadly easy to weaponize as the Apache folks blatantly published PoC on their own bulletin
Example of server side arbitary Java code (OGNL expressions) execution
Apple.com hacking was published on a popular Chinese security bulletin website
The issue was submitted to APPL on 2013-05-10 but ignored, and went public on 2013-06-24.
A Chinese blog on history and technical details of the exploit:
As a side note, rumor is that about 60% of Chinese goverment, e-commerce, banking, gaming websites was hacked using this S2-016 exploit, database was dumped, and exchanged in underground market. Also past records shows that the Apache Struts team is incompetent at security:
http://taosay.net/?p=611 (Warning: rant in Chinese text)
He said it used to take days or weeks for that to happen. Now it's hours.
This link points to the top comment on another thread (which has more points and comments as of now) about the Dev Website outage.
I remember the last RoR exploit was quite a thing on HN few months ago. But not this Struts 2 one.
Tip: if you see some URL end with .action, it's propably Struts 2 and vunlerable to S2-012, S2-015 and S2-016 such.
Besides, apple.com was hacked as early as in May using similar Struts2 exploits.
I can't conceive of the specific use-case that justified adding this, but it's so clearly a bad a idea that it doesn't appear bad only in hindsight. It appears bad in foresight.
"I'm going to accept and execute arbitrary expressions from clients, and these expressions can interact with arbitrary Java code, is that cool?"
As we realized it could, say, invoke static functions and execute extremely complex expressions, we realized the hole. Since then the team has been patching them piece by piece, but really OGNL should be thrown out and replaced with something that is far more limited in it's capabilities.
It's been a long time since I was an active contributor, but that'd be my recommendation if I was still hacking away on it.
Compared to Rails, PHP, what?