Re: After upgrade to 2.3.32 and S2-045 attacks

Thu, 18 May 2017 12:30:04 -0700 

There is nothing to worry about, the first exception is logged by a file
upload parsing layer as it cannot parse the multipart request, the second
is logged because the request did not pass a validation and there is no an
input result (the first exception was cause of the failed validation)

W dniu czw., 18.05.2017 o 21:16 Greg Lindholm <greg.lindh...@gmail.com>
napisał(a):

> I've upgraded to Struts 2.3.32.
> Our site is still getting bombarded with S2-045 attacks.
>
> The application logs are filled with stack traces from these. I notices
> that one request is often generating two stack traces. The first is
> expected and second isn't.
>
> First exception (with most of the attack crap obscured):
> 2017-05-16 06:18:22,022 WARN
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest:68 - Unable
> to parse request
> org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException:
> the request doesn't contain a multipart/form-data or multipart/mixed
> stream, content type header is
> %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> ).XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
>     at
>
> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:948)
>     at
>
> org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
>     at
>
> org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
>     at
>
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:192)
>     at
>
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:131)
>     at
>
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92)
>     at
>
> org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84)
>     at
> org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:849)
>     ...
>
> Second exception:
> 2017-05-16 06:18:22,024 WARN  org.apache.struts2.dispatcher.Dispatcher:68 -
> Could not find action or result: /index.action
> No result defined for action com.opensymphony.xwork2.ActionSupport and
> result input - action -
> file:/xxx/webapps/Resolution/webroot/WEB-INF/classes/struts.xml:24:26
>     at
>
> com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:374)
>     at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:276)
>     at
>
> com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265)
>     at
>
> org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76)
>     at
>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
>     at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
>     at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
>     at
>
> com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138)
>     at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
>     at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
>     at
>
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
>     at
>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
>     at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
>     at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
>     at
>
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
>     at
>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
>     at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
>     at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
>     ...
>
> In the Tomcat access logs I see the a "GET /index.action HTTP/1.1" but this
> doesn't log headers etc. so I don't have the full request (with all the
> attack code).
>
> My app doesn't have a "/index.action" but it does have a catchAll [ action
> name="*" ] which normally works but apparently not in this scenario.
>
> I'm not able to reproduce this on my development machine.
>
> Is anyone else seeing similar things happening?
> Is there anything here to worry about?
> Any changes I should be making?
>
>
> Greg
>
-- 
(mobile)

Reply via email to