You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2018/12/12 19:21:00 UTC

[jira] [Commented] (WW-4947) server errors generated by secure-jakarta-multipart-parser-plugin

    [ https://issues.apache.org/jira/browse/WW-4947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16719327#comment-16719327 ] 

Lukasz Lenart commented on WW-4947:
-----------------------------------

This plugin is just a port of what we have done in the main Struts line. It allows you to temporarily resolve issue reported in the mentioned CVE by applying the plugin if you are running {{Struts 2.3.8 till 2.5.5}} - without migration to the latest Struts version.

https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md#supported-versions

> server errors generated by secure-jakarta-multipart-parser-plugin
> -----------------------------------------------------------------
>
>                 Key: WW-4947
>                 URL: https://issues.apache.org/jira/browse/WW-4947
>             Project: Struts 2
>          Issue Type: Dependency
>            Reporter: Nicola
>            Priority: Major
>             Fix For: 2.6
>
>
>  
> Hi, my name is Nick,
> first Jira here.
>  
> I installed secure-jakarta-multipart-parser-plugin-1.1 software to patch CVE-2017-5638 security issue.
> Since it's an official plugin, I expected to find some documentation on how it works and what kind of response to expect from the server. But I didn't find any, I guess because the preferred patch is to actually update Struts version to a more secure one, which I can't do unfortunately.
> PROBLEM: I'm getting several different exceptions when I try to attack the system.
> Sometimes I just get the HTML. So I guess the attack has not worked (and the patch did stop it), but it's hard for me to understand why I get such different responses from the server.
> My main doubt is why sometimes the server returns an error and sometimes it just returns the html.
>  
> Am i doing this right? Is this how it's supposed to work? Or is this an issue that should be 
> handled somehow at the application level?
>  
> Thanks in advance
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)