[
https://issues.apache.org/jira/browse/WW-4774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947111#comment-15947111
]
upendar commented on WW-4774:
-----------------------------
[~lukaszlenart] Struts version 2.3.1 is vulnerable and is exploited. The above
error shows WARN but that is actually causing vulnerable as we did many exploit
scripts after attack and reported as vulnerable.
We need to understand what actually caused version 2.3.1 vulnerable and error
I stated above is same as the error reported in CVE-2017-5638. Please let me
know
> Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP
> ------------------------------------------------------------------
>
> Key: WW-4774
> URL: https://issues.apache.org/jira/browse/WW-4774
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.10
> Reporter: upendar
> Priority: Critical
> Fix For: 2.5.next
>
>
> We are upgrading Struts2 from 2.3.1 to 2.5.10.1 ; redirect making https://
> to http:// . The following errors in chrome and IE are seen while redirecting
> from the popup to main window
> redirecting popup (create user) --- main window (viewdashboard) - the URL
> shows https:// to http://
> We are blocked completely due to this issue and need support ASAP. We also
> reviewed the apache server configurations and looks good. Please share the
> fix in detail.
> Error Issue in chrome :
> Mixed Content: The page at
> 'https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44' was loaded over HTTPS,
> but requested an insecure XMLHttpRequest endpoint
> 'http://XXX/XX/XX/viewdashboard?uar=44&Id=1'. This request has been blocked;
> the content must be served over HTTPS.
> Issue in IE
> SEC7127: Redirect was blocked for CORS request.
> File: account
> SCRIPT7002: XMLHttpRequest: Network Error 0x2ef1, Could not complete the
> operation due to error 00002ef1.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
