struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From saikrishna <saikrishnaad...@gmail.com>
Subject Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Date Thu, 17 Jul 2014 09:31:57 GMT
Lukasz Lenart <lukaszlenart <at> apache.org> writes:

> 
> 2014-07-17 11:15 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> >
> >
> >
> > Lukasz Lenart <lukaszlenart <at> apache.org> writes:
> >
> >>
> >> This vulnerability was resolved in 2.3.15.1, more details here
> >> http://struts.apache.org/release/2.3.x/docs/s2-017.html
> >>
> >> For sure you must switch off devMode in production, thus has large
> >> impact on overall application performance
> >>
> >> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> >> > Hi Getting the below error.Looks like,somebody tried to attack our
> > application
> >> > with a redirect.Below is the log.Please advice.
> >> >
> >> > ParametersInterceptor:34 - Developer Notification (set struts.devMode 
to
> > false
> >> > to disable this message):
> >> > Unexpected Exception caught setting
> >> >
> > 
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
> > tR
> >> > esponse'),#res.setCharacterEncoding("UTF-8"
> >> >
> > 
),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
> > ,#
> >> >
> > 
res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
> > Se
> >> > r
> >> >
> > 
vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
> > os
> >> > e()}' on 'class java.lang.String: 100
> >> >
> >> >
> >> > somebody trying to post something to the server with the redirect 
url.
> >> >
> >> > Please suggest what should I do.
> >> >
> >> > Thanks
> >> >
> >> >
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
> >> > For additional commands, e-mail: user-help <at> struts.apache.org
> >> >
> >>
> >
> > Hi
> > Many thanks for the reply post.I am just wondering,we have already  been
> > upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not 
be
> > handling this kind of vulnerability by default ? What I mean,is 
say,windows
> > 8 is an upgraded vesion of windows 7,What ever issues that were resolved 
in
> > windows 7 must not appear again in windows 8 right ?
> >
> > Is it recommendable to go back to 2.3.15.1  ? (We have moved to 2.3.16.2 
to
> > takle with other vulnerabilities)
> >
> > And we have already switched off devmode in production.Still we are 
getting
> > the below error.
> >
> > Kindly advice.Appreciate the quick response.
> 
> If you are using 2.3.16.2 you are safe, after disabling devMode what
> kind of error do you see in the logs?
> Can you post the whole log entry?
> 
> Regards

2014-04-18 05:23:12,320 ERROR ParametersInterceptor:34 - Developer 
Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 
'redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
equest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.
dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWrit
er().flush(),#matt.getWriter().close()}' on 'class java.lang.String: 100


This is the complete log entry.Looks like its a hack attempt trying to post 
some data to the server ?
Please advice on the possible fix.



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message