Re: redirect vulnerability after upgrading to Struts 2.3.16.2

Thu, 17 Jul 2014 02:17:26 -0700 


Lukasz Lenart <lukaszlenart <at> apache.org> writes:

> 
> This vulnerability was resolved in 2.3.15.1, more details here
> http://struts.apache.org/release/2.3.x/docs/s2-017.html
> 
> For sure you must switch off devMode in production, thus has large
> impact on overall application performance
> 
> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> > Hi Getting the below error.Looks like,somebody tried to attack our 
application
> > with a redirect.Below is the log.Please advice.
> >
> > ParametersInterceptor:34 - Developer Notification (set struts.devMode to 
false
> > to disable this message):
> > Unexpected Exception caught setting
> > 
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
tR
> > esponse'),#res.setCharacterEncoding("UTF-8"
> > 
),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
,#
> > 
res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
Se
> > r
> > 
vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
os
> > e()}' on 'class java.lang.String: 100
> >
> >
> > somebody trying to post something to the server with the redirect url.
> >
> > Please suggest what should I do.
> >
> > Thanks
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
> > For additional commands, e-mail: user-help <at> struts.apache.org
> >
> 

Hi
Many thanks for the reply post.I am just wondering,we have already  been 
upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not be 
handling this kind of vulnerability by default ? What I mean,is say,windows 
8 is an upgraded vesion of windows 7,What ever issues that were resolved in 
windows 7 must not appear again in windows 8 right ?

Is it recommendable to go back to 2.3.15.1  ? (We have moved to 2.3.16.2 to
takle with other vulnerabilities) 

And we have already switched off devmode in production.Still we are getting 
the below error.

Kindly advice.Appreciate the quick response.



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org























					Reply via email to