You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Jim Spellman <ji...@gmail.com> on 2017/03/08 22:04:56 UTC

ognl exploit

Is there a way to turn off ognl, so to prevent this exploit?
https://github.com/rapid7/metasploit-framework/issues/8064

I found someone trying to break into my server and was able to issue
system level commands by injecting this ognl language into the content
header of a multipart form.

I'm currently using:

struts2-core-2.5.2.jar
ognl-3.1.10.jar

Any help would be appreciated.
Thanks...
Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: ognl exploit

Posted by Jim Spellman <ji...@gmail.com>.

Ah looks like all I need to do is upgrade.   I missed the release note
on this...
Jim

On Wed, Mar 8, 2017 at 5:04 PM, Jim Spellman <ji...@gmail.com> wrote:
> Is there a way to turn off ognl, so to prevent this exploit?
> https://github.com/rapid7/metasploit-framework/issues/8064
>
> I found someone trying to break into my server and was able to issue
> system level commands by injecting this ognl language into the content
> header of a multipart form.
>
> I'm currently using:
>
> struts2-core-2.5.2.jar
> ognl-3.1.10.jar
>
> Any help would be appreciated.
> Thanks...
> Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org