Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> 2014-07-17 11:15 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> >
> >
> >
> > Lukasz Lenart <lukaszlenart <at> apache.org> writes:
> >
> >>
> >> This vulnerability was resolved in 2.3.15.1, more details here
> >> http://struts.apache.org/release/2.3.x/docs/s2-017.html
> >>
> >> For sure you must switch off devMode in production, thus has large
> >> impact on overall application performance
> >>
> >> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> >> > Hi Getting the below error.Looks like,somebody tried to attack our
> > application
> >> > with a redirect.Below is the log.Please advice.
> >> >
> >> > ParametersInterceptor:34 - Developer Notification (set struts.devMode
to
> > false
> >> > to disable this message):
> >> > Unexpected Exception caught setting
> >> >
> >
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
> > tR
> >> > esponse'),#res.setCharacterEncoding("UTF-8"
> >> >
> >
),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
> > ,#
> >> >
> >
res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
> > Se
> >> > r
> >> >
> >
vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
> > os
> >> > e()}' on 'class java.lang.String: 100
> >> >
> >> >
> >> > somebody trying to post something to the server with the redirect
url.
> >> >
> >> > Please suggest what should I do.
> >> >
> >> > Thanks
> >> >
> >> >
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
> >> > For additional commands, e-mail: user-help <at> struts.apache.org
> >> >
> >>
> >
> > Hi
> > Many thanks for the reply post.I am just wondering,we have already been
> > upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not
be
> > handling this kind of vulnerability by default ? What I mean,is
say,windows
> > 8 is an upgraded vesion of windows 7,What ever issues that were resolved
in
> > windows 7 must not appear again in windows 8 right ?
> >
> > Is it recommendable to go back to 2.3.15.1 ? (We have moved to 2.3.16.2
to
> > takle with other vulnerabilities)
> >
> > And we have already switched off devmode in production.Still we are
getting
> > the below error.
> >
> > Kindly advice.Appreciate the quick response.
>
> If you are using 2.3.16.2 you are safe, after disabling devMode what
> kind of error do you see in the logs?
> Can you post the whole log entry?
>
> Regards
2014-04-18 05:23:12,320 ERROR ParametersInterceptor:34 - Developer
Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting
'redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
equest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.
dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWrit
er().flush(),#matt.getWriter().close()}' on 'class java.lang.String: 100
This is the complete log entry.Looks like its a hack attempt trying to post
some data to the server ?
Please advice on the possible fix.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
