Re: How to determine if a Windows server is running Apache Struts?

On Wed, Sep 6, 2017 at 7:56 PM, Ken McWilliams wrote: > Programs can also be "exploded" (not in any type of zip file) so be sure to > search all files in the normal filesystem as well. To test your script just > create a couple zip files with some nested folders where

Re: How to determine if a Windows server is running Apache Struts?

Programs can also be "exploded" (not in any type of zip file) so be sure to search all files in the normal filesystem as well. To test your script just create a couple zip files with some nested folders where you have placed some made up files either called "struts.xml" or "struts2-core-*.jar" to

Re: How to determine if a Windows server is running Apache Struts?

Struts isn't a stand alone program but a framework, typically seen as project dependency which supports web development on the JVM. I don't know the answer to 1) [although I will at the end go though the process I would attempt to find such programs]. 2) No. Struts2 [which is different code base

How to determine if a Windows server is running Apache Struts?

Hello all I am new to the mailing list as well as new to Apache Struts. We all heard in the news about the vulnerability affecting Apache Struts. I have been tasked to determine which of our servers have Struts running on them. I have a few questions on how to determine if a server is running

Re: Struts 2.3 fix for s2-052?

2017-09-06 18:40 GMT+02:00 William Stranathan : > Any ETA? Under way to the Central and mirrors Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail:

Re: Struts 2.3 fix for s2-052?

Any ETA? On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart wrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email where you gave the dist URL for the dev > release. > > > > This is the release that I should use for

Re: Struts 2.3 fix for s2-052?

Incidentally, the wiki points out that 2.3 is vulnerable, but http://struts.apache.org/docs/s2-052.html still only states 2.5. On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart wrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally

Re: Struts 2.3 fix for s2-052?

2017-09-06 16:12 GMT+02:00 Emi : > Hello, >> >> I finally read your email where you gave the dist URL for the dev release. > > This is the release that I should use for 2.3 right? > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Yes, it should be officially

Re: Struts 2.3 fix for s2-052?

Hello, I finally read your email where you gave the dist URL for the dev release. This is the release that I should use for 2.3 right? https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Thanks. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I

Re: Struts 2.3 fix for s2-052?

Thanks a lot! 2017-09-06 15:56 GMT+02:00 William Stranathan : > I finally read your email where you gave the dist URL for the dev release. > I tested against the struts2-rest-showcase app, a URL that was vulnerable > in other versions. > > I also manually built just

Re: Struts 2.3 fix for s2-052?

I finally read your email where you gave the dist URL for the dev release. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against

Re: Struts 2.3 fix for s2-052?

2017-09-06 12:37 GMT+02:00 Lukasz Lenart : > Here is the full info > http://markmail.org/message/5xuhb2vwc7iagjjr William, how does your test pass? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/

Re: Struts 2.3 fix for s2-052?

Ah.. right, I forgot about that 2017-09-06 13:11 GMT+02:00 William Stranathan : > And yes, it looks like the Jenkins builds have been failing for quite some > time: > https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console > (that >

Re: Struts 2.3 fix for s2-052?

2017-09-06 13:04 GMT+02:00 William Stranathan : > Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the > 2.3.34 snapshot of the rest-plugin dated August 12. > > I just did a build of only the bits needed to get the rest-showcase running > (so mvn

Re: Struts 2.3 fix for s2-052?

And yes, it looks like the Jenkins builds have been failing for quite some time: https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console (that error message is not too dissimilar from the one I get with JDK 7 in the same module). On Wed, Sep 6, 2017 at 7:04 AM

Re: Struts 2.3 fix for s2-052?

Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the 2.3.34 snapshot of the rest-plugin dated August 12. I just did a build of only the bits needed to get the rest-showcase running (so mvn install, when that fails, mvn install -f plugins/rest-plugin/pom.xml, then

Re: Struts 2.3 fix for s2-052?

2017-09-06 12:31 GMT+02:00 William Stranathan : > Odd - when I tested the snapshots, they were still vulnerable. I'm not able > to get it to build from source (now some odd javac access exception). Strange, do you have a date of the snapshot? Maybe Jenkins stopped

Re: Struts 2.3 fix for s2-052?

Odd - when I tested the snapshots, they were still vulnerable. I'm not able to get it to build from source (now some odd javac access exception). Where do I get the bits for testing 2.3.34, if not the snapshots? On Wed, Sep 6, 2017 at 1:36 AM Lukasz Lenart wrote: >

Re: Clicking helloworld link got java.lang.NoSuchMethodError: org.apache.commons.lang3.reflect.MethodUtils.getAnnotation

> > I tried > export > CLASSPATH=$JAVA_HOME/lib:$HOME/Struts2/struts-2.5.12/lib: > $CATALINA_HOME/lib:$CLASSPATH:. > > but the helloworld link in index.jsp still did not see the > /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3-3.6.jar. > > > my_tomcat.log did not have this line any more >