You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Greg Lindholm <gr...@gmail.com> on 2017/05/18 19:16:39 UTC
After upgrade to 2.3.32 and S2-045 attacks
I've upgraded to Struts 2.3.32.
Our site is still getting bombarded with S2-045 attacks.
The application logs are filled with stack traces from these. I notices
that one request is often generating two stack traces. The first is
expected and second isn't.
First exception (with most of the attack crap obscured):
2017-05-16 06:18:22,022 WARN
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest:68 - Unable
to parse request
org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException:
the request doesn't contain a multipart/form-data or multipart/mixed
stream, content type header is
%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
).XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
at
org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:948)
at
org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
at
org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
at
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:192)
at
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:131)
at
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92)
at
org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84)
at
org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:849)
...
Second exception:
2017-05-16 06:18:22,024 WARN org.apache.struts2.dispatcher.Dispatcher:68 -
Could not find action or result: /index.action
No result defined for action com.opensymphony.xwork2.ActionSupport and
result input - action -
file:/xxx/webapps/Resolution/webroot/WEB-INF/classes/struts.xml:24:26
at
com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:374)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:276)
at
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265)
at
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
at
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
...
In the Tomcat access logs I see the a "GET /index.action HTTP/1.1" but this
doesn't log headers etc. so I don't have the full request (with all the
attack code).
My app doesn't have a "/index.action" but it does have a catchAll [ action
name="*" ] which normally works but apparently not in this scenario.
I'm not able to reproduce this on my development machine.
Is anyone else seeing similar things happening?
Is there anything here to worry about?
Any changes I should be making?
Greg
Re: After upgrade to 2.3.32 and S2-045 attacks
Posted by Łukasz Lenart <lu...@gmail.com>.
There is nothing to worry about, the first exception is logged by a file
upload parsing layer as it cannot parse the multipart request, the second
is logged because the request did not pass a validation and there is no an
input result (the first exception was cause of the failed validation)
W dniu czw., 18.05.2017 o 21:16 Greg Lindholm <gr...@gmail.com>
napisał(a):
> I've upgraded to Struts 2.3.32.
> Our site is still getting bombarded with S2-045 attacks.
>
> The application logs are filled with stack traces from these. I notices
> that one request is often generating two stack traces. The first is
> expected and second isn't.
>
> First exception (with most of the attack crap obscured):
> 2017-05-16 06:18:22,022 WARN
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest:68 - Unable
> to parse request
> org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException:
> the request doesn't contain a multipart/form-data or multipart/mixed
> stream, content type header is
> %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> ).XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
> at
>
> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:948)
> at
>
> org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
> at
>
> org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
> at
>
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:192)
> at
>
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:131)
> at
>
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92)
> at
>
> org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84)
> at
> org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:849)
> ...
>
> Second exception:
> 2017-05-16 06:18:22,024 WARN org.apache.struts2.dispatcher.Dispatcher:68 -
> Could not find action or result: /index.action
> No result defined for action com.opensymphony.xwork2.ActionSupport and
> result input - action -
> file:/xxx/webapps/Resolution/webroot/WEB-INF/classes/struts.xml:24:26
> at
>
> com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:374)
> at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:276)
> at
>
> com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265)
> at
>
> org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76)
> at
>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
> at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
> at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
> at
>
> com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138)
> at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
> at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
> at
>
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
> at
>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
> at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
> at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
> at
>
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
> at
>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
> at
>
> com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
> at
>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
> ...
>
> In the Tomcat access logs I see the a "GET /index.action HTTP/1.1" but this
> doesn't log headers etc. so I don't have the full request (with all the
> attack code).
>
> My app doesn't have a "/index.action" but it does have a catchAll [ action
> name="*" ] which normally works but apparently not in this scenario.
>
> I'm not able to reproduce this on my development machine.
>
> Is anyone else seeing similar things happening?
> Is there anything here to worry about?
> Any changes I should be making?
>
>
> Greg
>
--
(mobile)