Programs can also be "exploded" (not in any type of zip file) so be sure to search all files in the normal filesystem as well. To test your script just create a couple zip files with some nested folders where you have placed some made up files either called "struts.xml" or "struts2-core-*.jar" to be sure that your script is able to identify them. If they don't find those, your script is unhappy!
On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams <ken.mcwilli...@gmail.com> wrote: > Struts isn't a stand alone program but a framework, typically seen as > project dependency which supports web development on the JVM. > > I don't know the answer to 1) [although I will at the end go though the > process I would attempt to find such programs]. > > 2) No. Struts2 [which is different code base from struts v1, and does not > share the same issues] is a Java Web Framework, it will run on any JEE > compliant web server, and will run on embedded web servers such as Jetty. > > 3) No. And the program list will not determine if the program uses the > struts framework. > > How I would attempt to determine the issue: > > Most programs will not have been obfuscated (which may make determining > this much harder). > Java applications are typically packaged as JAR, WAR, or EAR. These are > all just zip files. I would automate the process to scan for all such > files, open them recursively travel their internal folder structure and > search for either struts.xml OR struts2-core-*.jar where "*" is a version > number, and accumulate all such files and or paths to these files into a > plain text document and then check them by hand [to determine the version > of struts, and determine if it has the security exploit and/or is > exploitable (if it is isn't accessible to the outside world generally it > isn't a concern, of course this depends company size and the nature of what > is being secured)]. Some assumptions could be made about the internal > project structure that could save a great deal of time but because of build > differences these shortcuts (assuming what folder libraries are stored in) > could cause you to miss something so it is probably best to just search > everything. > > On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <linuxmailinglistsem...@gmail.com > > wrote: > >> Hello all >> >> I am new to the mailing list as well as new to Apache Struts. We all >> heard >> in the news about the vulnerability affecting Apache Struts. I have been >> tasked to determine which of our servers have Struts running on them. I >> have a few questions on how to determine if a server is running Struts or >> not: >> >> 1) How does one determine if a Windows server, running IIS, has the Apache >> Struts framework installed on it? >> >> 2) Does Apache Struts only run on Apache Webserver and Tomcat? >> >> 3) Is there a simple way to determine if a server has Struts installed, >> instead of logging into each of the servers and checking the programs >> list? >> >> >> I appreciate ALL help! >> >> >> Thanks >> >> Sean >> > > > > -- > Sent from my C64 using a 300 baud modem > -- Sent from my C64 using a 300 baud modem
