On Wed, Sep 6, 2017 at 7:56 PM, Ken McWilliams <ken.mcwilli...@gmail.com> wrote:
> Programs can also be "exploded" (not in any type of zip file) so be sure to > search all files in the normal filesystem as well. To test your script just > create a couple zip files with some nested folders where you have placed > some made up files either called "struts.xml" or "struts2-core-*.jar" to be > sure that your script is able to identify them. If they don't find those, > your script is unhappy! > > On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams <ken.mcwilli...@gmail.com> > wrote: > > > Struts isn't a stand alone program but a framework, typically seen as > > project dependency which supports web development on the JVM. > > > > I don't know the answer to 1) [although I will at the end go though the > > process I would attempt to find such programs]. > > > > 2) No. Struts2 [which is different code base from struts v1, and does not > > share the same issues] is a Java Web Framework, it will run on any JEE > > compliant web server, and will run on embedded web servers such as Jetty. > > > > 3) No. And the program list will not determine if the program uses the > > struts framework. > > > > How I would attempt to determine the issue: > > > > Most programs will not have been obfuscated (which may make determining > > this much harder). > > Java applications are typically packaged as JAR, WAR, or EAR. These are > > all just zip files. I would automate the process to scan for all such > > files, open them recursively travel their internal folder structure and > > search for either struts.xml OR struts2-core-*.jar where "*" is a version > > number, and accumulate all such files and or paths to these files into a > > plain text document and then check them by hand [to determine the version > > of struts, and determine if it has the security exploit and/or is > > exploitable (if it is isn't accessible to the outside world generally it > > isn't a concern, of course this depends company size and the nature of > what > > is being secured)]. Some assumptions could be made about the internal > > project structure that could save a great deal of time but because of > build > > differences these shortcuts (assuming what folder libraries are stored > in) > > could cause you to miss something so it is probably best to just search > > everything. > > > > On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <linuxmailinglistsemail@gmail. > com > > > wrote: > > > >> Hello all > >> > >> I am new to the mailing list as well as new to Apache Struts. We all > >> heard > >> in the news about the vulnerability affecting Apache Struts. I have been > >> tasked to determine which of our servers have Struts running on them. I > >> have a few questions on how to determine if a server is running Struts > or > >> not: > >> > >> 1) How does one determine if a Windows server, running IIS, has the > Apache > >> Struts framework installed on it? > >> > >> 2) Does Apache Struts only run on Apache Webserver and Tomcat? > >> > >> 3) Is there a simple way to determine if a server has Struts installed, > >> instead of logging into each of the servers and checking the programs > >> list? > >> > >> > >> I appreciate ALL help! > >> > >> > >> Thanks > >> > >> Sean > >> > > > > > > > > -- > > Sent from my C64 using a 300 baud modem > > > > > > -- > Sent from my C64 using a 300 baud modem > Thank you for your reply. Do you know what script should be used for Windows servers to check for Struts? I am not a Windows Admin, so any guidance will be greatly appreciated! Thanks
