struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4947) server errors generated by secure-jakarta-multipart-parser-plugin
Date Wed, 12 Dec 2018 19:21:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16719327#comment-16719327
] 

Lukasz Lenart commented on WW-4947:
-----------------------------------

This plugin is just a port of what we have done in the main Struts line. It allows you to
temporarily resolve issue reported in the mentioned CVE by applying the plugin if you are
running {{Struts 2.3.8 till 2.5.5}} - without migration to the latest Struts version.

https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md#supported-versions

> server errors generated by secure-jakarta-multipart-parser-plugin
> -----------------------------------------------------------------
>
>                 Key: WW-4947
>                 URL: https://issues.apache.org/jira/browse/WW-4947
>             Project: Struts 2
>          Issue Type: Dependency
>            Reporter: Nicola
>            Priority: Major
>             Fix For: 2.6
>
>
>  
> Hi, my name is Nick,
> first Jira here.
>  
> I installed secure-jakarta-multipart-parser-plugin-1.1 software to patch CVE-2017-5638
security issue.
> Since it's an official plugin, I expected to find some documentation on how it works
and what kind of response to expect from the server. But I didn't find any, I guess because
the preferred patch is to actually update Struts version to a more secure one, which I can't
do unfortunately.
> PROBLEM: I'm getting several different exceptions when I try to attack the system.
> Sometimes I just get the HTML. So I guess the attack has not worked (and the patch did
stop it), but it's hard for me to understand why I get such different responses from the server.
> My main doubt is why sometimes the server returns an error and sometimes it just returns
the html.
>  
> Am i doing this right? Is this how it's supposed to work? Or is this an issue that should
be 
> handled somehow at the application level?
>  
> Thanks in advance
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message