There is nothing to worry about, the first exception is logged by a file upload parsing layer as it cannot parse the multipart request, the second is logged because the request did not pass a validation and there is no an input result (the first exception was cause of the failed validation)
W dniu czw., 18.05.2017 o 21:16 Greg Lindholm <greg.lindh...@gmail.com> napisał(a): > I've upgraded to Struts 2.3.32. > Our site is still getting bombarded with S2-045 attacks. > > The application logs are filled with stack traces from these. I notices > that one request is often generating two stack traces. The first is > expected and second isn't. > > First exception (with most of the attack crap obscured): > 2017-05-16 06:18:22,022 WARN > org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest:68 - Unable > to parse request > org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: > the request doesn't contain a multipart/form-data or multipart/mixed > stream, content type header is > %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS > ).XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX} > at > > org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:948) > at > > org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310) > at > > org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334) > at > > org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:192) > at > > org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:131) > at > > org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92) > at > > org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84) > at > org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:849) > ... > > Second exception: > 2017-05-16 06:18:22,024 WARN org.apache.struts2.dispatcher.Dispatcher:68 - > Could not find action or result: /index.action > No result defined for action com.opensymphony.xwork2.ActionSupport and > result input - action - > file:/xxx/webapps/Resolution/webroot/WEB-INF/classes/struts.xml:24:26 > at > > com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:374) > at > > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:276) > at > > com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265) > at > > org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76) > at > > com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) > at > > com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216) > at > > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) > at > > com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138) > at > > com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216) > at > > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) > at > > com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229) > at > > com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) > at > > com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216) > at > > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) > at > > com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229) > at > > com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) > at > > com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216) > at > > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) > ... > > In the Tomcat access logs I see the a "GET /index.action HTTP/1.1" but this > doesn't log headers etc. so I don't have the full request (with all the > attack code). > > My app doesn't have a "/index.action" but it does have a catchAll [ action > name="*" ] which normally works but apparently not in this scenario. > > I'm not able to reproduce this on my development machine. > > Is anyone else seeing similar things happening? > Is there anything here to worry about? > Any changes I should be making? > > > Greg > -- (mobile)