Re: Struts Vulnerability

2017-09-07 Thread Guang Chao 
On Thu, Sep 7, 2017 at 3:17 PM, Greg Huber  wrote:

> >2) Does Apache Struts only run on Apache Webserver and Tomcat?
>
> Should run on java based servers Glassfish, Websphere etc
>
> >3) Is there a simple way to determine if a server has Struts installed,
> >instead of logging into each of the servers and checking the programs
> >list?
>
> You could try and execute a struts action ie test.action on the server, if
> struts is there it will reply:
>
> There is no Action mapped for namespace [/] and action name [test]
> associated with context path [].
>
> ..but it depends on how the server is setup and how it deals with the
> 404's.
>

It seems OP has no docs for SCM. He may not also know what are the context
path of the applications.


>
> Alternatively Look for a jar struts.x.x.x.jar or struts2-core-x.x.x.jar in
> the lib directory of tomcat.
>

Yes use wildcard to search for struts2 jar.  I think this jar is bundled
with application and not  with app server.


>
> Struts1 is EOL, Struts2 struts2-core-2.5.13.jar
>
> Look at the struts website for security bulletins etc
> https://struts.apache.org/
>
>
> On 7 September 2017 at 00:18, Sean Son 
> wrote:
>
> > Hello all
> >
> > I am new to the mailing list as well as new to Apache Struts.  We all
> heard
> > in the news about the vulnerability affecting Apache Struts. I have been
> > tasked to determine which of our servers have Struts running on them.  I
> > have a few questions on how to determine if a server is running Struts or
> > not:
> >
> > 1) How does one determine if a Windows server, running IIS, has the
> Apache
> > Struts framework installed on it?
> >
> > 2) Does Apache Struts only run on Apache Webserver and Tomcat?
> >
> > 3) Is there a simple way to determine if a server has Struts installed,
> > instead of logging into each of the servers and checking the programs
> list?
> >
> >
> > I appreciate ALL help!
> >
>



-- 
Guang

Re: Struts Vulnerability

2017-09-07 Thread Greg Huber 
>2) Does Apache Struts only run on Apache Webserver and Tomcat?

Should run on java based servers Glassfish, Websphere etc

>3) Is there a simple way to determine if a server has Struts installed,
>instead of logging into each of the servers and checking the programs
>list?

You could try and execute a struts action ie test.action on the server, if
struts is there it will reply:

There is no Action mapped for namespace [/] and action name [test]
associated with context path [].

..but it depends on how the server is setup and how it deals with the 404's.

Alternatively Look for a jar struts.x.x.x.jar or struts2-core-x.x.x.jar in
the lib directory of tomcat.

Struts1 is EOL, Struts2 struts2-core-2.5.13.jar

Look at the struts website for security bulletins etc
https://struts.apache.org/


On 7 September 2017 at 00:18, Sean Son 
wrote:

> Hello all
>
> I am new to the mailing list as well as new to Apache Struts.  We all heard
> in the news about the vulnerability affecting Apache Struts. I have been
> tasked to determine which of our servers have Struts running on them.  I
> have a few questions on how to determine if a server is running Struts or
> not:
>
> 1) How does one determine if a Windows server, running IIS, has the Apache
> Struts framework installed on it?
>
> 2) Does Apache Struts only run on Apache Webserver and Tomcat?
>
> 3) Is there a simple way to determine if a server has Struts installed,
> instead of logging into each of the servers and checking the programs list?
>
>
> I appreciate ALL help!
>

Re: Struts Vulnerability

2017-09-07 Thread Guang Chao 
On Thu, Sep 7, 2017 at 7:18 AM, Sean Son 
wrote:

> Hello all
>
> I am new to the mailing list as well as new to Apache Struts.  We all heard
> in the news about the vulnerability affecting Apache Struts. I have been
> tasked to determine which of our servers have Struts running on them.  I
> have a few questions on how to determine if a server is running Struts or
> not:
>
> 1) How does one determine if a Windows server, running IIS, has the Apache
> Struts framework installed on it?
>
> 2) Does Apache Struts only run on Apache Webserver and Tomcat?
>
> 3) Is there a simple way to determine if a server has Struts installed,
> instead of logging into each of the servers and checking the programs list?
>
>
> I appreciate ALL help!
>

You can try to search the file system for struts jar.
Btw, it seems only struts 2 are affected by the issue

-- 
Guang

Struts Vulnerability

2017-09-06 Thread Sean Son 
Hello all

I am new to the mailing list as well as new to Apache Struts.  We all heard
in the news about the vulnerability affecting Apache Struts. I have been
tasked to determine which of our servers have Struts running on them.  I
have a few questions on how to determine if a server is running Struts or
not:

1) How does one determine if a Windows server, running IIS, has the Apache
Struts framework installed on it?

2) Does Apache Struts only run on Apache Webserver and Tomcat?

3) Is there a simple way to determine if a server has Struts installed,
instead of logging into each of the servers and checking the programs list?


I appreciate ALL help!