Hello all, sorry for the late, but i was in holiday from wednesday. Ok, i make a ticket to developers for upgrading strus. They told me that will work on that.
So, i will keep in touch with the news =) Again, thanks all for all the support you give me. Regards, Leonardo Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-05-01 18:48 GMT-03:00 Christopher Schultz <ch...@christopherschultz.net >: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Cédric, > > On 5/1/14, 10:00 AM, Cédric Couralet wrote: > > 2014-04-30 19:07 GMT+02:00 Christopher Schultz > > <ch...@christopherschultz.net > >> : > > > > Leonardo, > > > > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: > >>>> Im uploading mi logfiles so it will be available when > >>>> finished uploading. > > > > Remember to get a thread dump while Runtime.exec() is running. > > > > You should copy the script /tmp/4.sh somewhere else so you have a > > copy in case the attacker tries to clean-up after themselves. > > That's certainly what's doing the evil work. > > > > You could probably set up iptables or something to restrict > > outgoing requests so that the attack can't progress across your > > network. > > > >>>> Regarding the configuration, its working in two other sites > >>>> without problem, and there is no problem putting L4 balancing > >>>> with haproxy. > >>>> > >>>> I have asked developers about that exploit, still without > >>>> answer. > > > > You appear to be using struts2 2.1.8, which is in the range of > > versions vulnerable to this bug. There is a workaround that you > > can probably apply: > > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the > > last section on this page). > > > >> Of course, the vulnerability doesn't allow you to simply inject > >> code > > or anything like that: you can certainly mess-around with code that > > is already available on the site, though. > > > > > >> I think the S2-021 can be used to inject code. There is a POC > >> circulating proving it. That said, this struts version (2.1.8) is > >> also vulnerable to > >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which > >> permits code execution very easily. > > Ouch. Yeah, there's always that ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 > Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn > tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa > iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 > qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p > MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ > ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW > HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU > J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP > vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE > IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 > hEEF98sa1D+pfJC5FGdj > =ZJPK > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >