struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Date Thu, 17 Jul 2014 09:19:30 GMT
2014-07-17 11:15 GMT+02:00 saikrishna <saikrishnaadivi@gmail.com>:
>
>
>
> Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
>>
>> This vulnerability was resolved in 2.3.15.1, more details here
>> http://struts.apache.org/release/2.3.x/docs/s2-017.html
>>
>> For sure you must switch off devMode in production, thus has large
>> impact on overall application performance
>>
>> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
>> > Hi Getting the below error.Looks like,somebody tried to attack our
> application
>> > with a redirect.Below is the log.Please advice.
>> >
>> > ParametersInterceptor:34 - Developer Notification (set struts.devMode to
> false
>> > to disable this message):
>> > Unexpected Exception caught setting
>> >
> 'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
> tR
>> > esponse'),#res.setCharacterEncoding("UTF-8"
>> >
> ),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
> ,#
>> >
> res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
> Se
>> > r
>> >
> vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
> os
>> > e()}' on 'class java.lang.String: 100
>> >
>> >
>> > somebody trying to post something to the server with the redirect url.
>> >
>> > Please suggest what should I do.
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
>> > For additional commands, e-mail: user-help <at> struts.apache.org
>> >
>>
>
> Hi
> Many thanks for the reply post.I am just wondering,we have already  been
> upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not be
> handling this kind of vulnerability by default ? What I mean,is say,windows
> 8 is an upgraded vesion of windows 7,What ever issues that were resolved in
> windows 7 must not appear again in windows 8 right ?
>
> Is it recommendable to go back to 2.3.15.1  ? (We have moved to 2.3.16.2 to
> takle with other vulnerabilities)
>
> And we have already switched off devmode in production.Still we are getting
> the below error.
>
> Kindly advice.Appreciate the quick response.

If you are using 2.3.16.2 you are safe, after disabling devMode what
kind of error do you see in the logs?
Can you post the whole log entry?


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message