struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Reed" <ERE...@MAIL.NYSED.GOV>
Subject Re: Steps Involved in counter measurement for security issues
Date Wed, 16 Oct 2013 12:21:28 GMT
First of all, security on web applications is of a concern but not as
much as one would think. 

To find all the security vulnerabilities within any application, or
framework, one would find all the entry points which allow user
provided data. This could be a field, a protocol, etc. and then one
would "fuzz" this process until the program crashed. 

Not only does a hacker need to crash the program, but hacking also
requires knowledge by the attacker of the underlying operating system
and what version it is. Most web applications run in a virtual
environment with proxies between the real server and the user, so just
finding out what to attack is hard if the network is properly
configured. 

Certainly something to consider but you will probably never find all
the vulnerabilities, it's a much better approach to monitor your
network, and know your underlying systems. 

Even though struts can be hacked, look at all those .jar files you
included and run on your server with high level permissions. Those too
can be full of exploits and most of those libs are just downloaded from
the net by amateur developers. 

Eric Reed
New York State Department of Education





>>> Lukasz Lenart <lukaszlenart@apache.org> 10/16/2013 7:12 AM >>>
Ok, so the only option is got through each security bulletin and check
provided Proof-of-Concept if it affects your application. And DMI
isn't a problem if used wise.

https://cwiki.apache.org/confluence/display/WW/Security+Bulletins 

2013/10/16 Sreekanth S. Nair <sreekanth.nair@egovernments.org>:
> Thanks Lukazs, the problem i'm facing now is our product is so huge
to do a
> migration and running mainly on DMI. I'm unable to convince my top
> management about how bad strust2 vulnerability is (since i dont know
how to
> replicate the vulnerability). So I have no choice other than option
2.
>
> --
> Thanks & Regards
> Srikanth
> Software Developer
> --------------------------------
> eGovernments Foundations
> www.egovernments.org 
> Mob : 9980078913
> --------------------------------
>
>
> On Wed, Oct 16, 2013 at 4:22 PM, Umesh Awasthi
<umeshawasthi@gmail.com>wrote:
>
>> I do not think that is possible.
>> You have 2 options
>>
>> 1. Upgrade you struts2 version.
>> 2. Go through security vulnerability and see what was there and
create test
>> cases to see what exactly is happening and fix them by checking
patches.
>>
>> But IMO, upgrading to latest version is much more flexible and less
time
>> consuming than going through each and every vulnerability and
applying
>> fixes for them.
>>
>>
>> On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair <
>> sreekanth.nair@egovernments.org> wrote:
>>
>> > Test Case to test the security vulnerability (major ones) in
>> > struts2-core-2.1.2.
>> >
>> > --
>> > Thanks & Regards
>> > Srikanth
>> > Software Developer
>> > --------------------------------
>> > eGovernments Foundations
>> > www.egovernments.org 
>> > Mob : 9980078913
>> > --------------------------------
>> >
>> >
>> > On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart
<lukaszlenart@apache.org 
>> > >wrote:
>> >
>> > > 2013/10/16 Sreekanth S. Nair <sreekanth.nair@egovernments.org>:
>> > > > One more doubt, does this security vulnerability is able to
bring
>> down
>> > > the
>> > > > server :-) ? If we authorize ourselves to apache, is it
possible for
>> > > struts
>> > > > team to give us test case to check the vulnerability?
>> > >
>> > > What you mean by that? What test case you refer to?
>> > >
>> > >
>> > > Regards
>> > > --
>> > > Ɓukasz
>> > > + 48 606 323 122 http://www.lenart.org.pl/ 
>> > >
>> > >
---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org 
>> > > For additional commands, e-mail: user-help@struts.apache.org 
>> > >
>> > >
>> >
>>
>>
>>
>> --
>> With Regards
>> Umesh Awasthi
>> http://www.travellingrants.com/ 
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org 
For additional commands, e-mail: user-help@struts.apache.org 



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message