struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Date Thu, 17 Jul 2014 05:55:20 GMT
This vulnerability was resolved in 2.3.15.1, more details here
http://struts.apache.org/release/2.3.x/docs/s2-017.html

For sure you must switch off devMode in production, thus has large
impact on overall application performance

2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi@gmail.com>:
> Hi Getting the below error.Looks like,somebody tried to attack our application
> with a redirect.Below is the log.Please advice.
>
> ParametersInterceptor:34 - Developer Notification (set struts.devMode to false
> to disable this message):
> Unexpected Exception caught setting
> 'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
> esponse'),#res.setCharacterEncoding("UTF-8"
> ),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#
> res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getSe
> r
> vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().clos
> e()}' on 'class java.lang.String: 100
>
>
> somebody trying to post something to the server with the redirect url.
>
> Please suggest what should I do.
>
> Thanks
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message