You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by saikrishna <sa...@gmail.com> on 2014/07/16 17:28:17 UTC
redirect vulnerability after upgrading to Struts 2.3.16.2
Hi Getting the below error.Looks like,somebody tried to attack our application
with a redirect.Below is the log.Please advice.
ParametersInterceptor:34 - Developer Notification (set struts.devMode to false
to disable this message):
Unexpected Exception caught setting
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
esponse'),#res.setCharacterEncoding("UTF-8"
),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#
res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getSe
r
vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().clos
e()}' on 'class java.lang.String: 100
somebody trying to post something to the server with the redirect url.
Please suggest what should I do.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-07-17 14:24 GMT+02:00 saikrishna <sa...@gmail.com>:
> I contacted middle ware team,who does server restart.Server is getting
> restarted daily ! Actually,one month back we have done the struts upgrade to
> 2.3.16.2.As a part of that,we have just updated our pom.xml with the struts
> version ,as our project is maven based to build.At that time,dev mode is
> already set to false.Any more changes required in any of the file during
> Struts upgrade ?
It depends on your setup.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by saikrishna <sa...@gmail.com>.
Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> 2014-07-17 12:30 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> > production servers are handled by some other team.You want me to recycle
the
> > servers once ?
>
> Yes, you should do it as soon as possible - after switching devMode to
> off you must restart application to take effect
> And as I said, you are using safe version, this error has meaning only
> during development to indicate that something unexpected happened, it
> can be ignore on production (with devMode off you will not see such
> message)
>
> Regards
I contacted middle ware team,who does server restart.Server is getting
restarted daily ! Actually,one month back we have done the struts upgrade to
2.3.16.2.As a part of that,we have just updated our pom.xml with the struts
version ,as our project is maven based to build.At that time,dev mode is
already set to false.Any more changes required in any of the file during
Struts upgrade ?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-07-17 12:30 GMT+02:00 saikrishna <sa...@gmail.com>:
> production servers are handled by some other team.You want me to recycle the
> servers once ?
Yes, you should do it as soon as possible - after switching devMode to
off you must restart application to take effect
And as I said, you are using safe version, this error has meaning only
during development to indicate that something unexpected happened, it
can be ignore on production (with devMode off you will not see such
message)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by saikrishna <sa...@gmail.com>.
Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> 2014-07-17 12:26 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> > Even though dev mode is set to false,we are getting errors as above asking
us
> > to set devmode to false,which is already there.
> >
> > and both entries are taken from production logs.
>
> Have you restarted the app?
>
> Regards
production servers are handled by some other team.You want me to recycle the
servers once ?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-07-17 12:26 GMT+02:00 saikrishna <sa...@gmail.com>:
> Even though dev mode is set to false,we are getting errors as above asking us
> to set devmode to false,which is already there.
>
> and both entries are taken from production logs.
Have you restarted the app?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by saikrishna <sa...@gmail.com>.
Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> 2014-07-17 12:17 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> > Sorry,this is an issue from production,where already dev mode is set to
false
> > in the config files.
> > Log entry is from production.
>
> Which one? Both entries have "Developer Notification (set
> struts.devMode to false to disable this message"
>
> Regards
Even though dev mode is set to false,we are getting errors as above asking us
to set devmode to false,which is already there.
and both entries are taken from production logs.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-07-17 12:17 GMT+02:00 saikrishna <sa...@gmail.com>:
> Sorry,this is an issue from production,where already dev mode is set to false
> in the config files.
> Log entry is from production.
Which one? Both entries have "Developer Notification (set
struts.devMode to false to disable this message"
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by saikrishna <sa...@gmail.com>.
Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> 2014-07-17 11:31 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> > 2014-04-18 05:23:12,320 ERROR ParametersInterceptor:34 - Developer
> > Notification (set struts.devMode to false to disable this message):
> > Unexpected Exception caught setting
> >
'redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
> >
equest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.
> >
dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWrit
> > er().flush(),#matt.getWriter().close()}' on 'class java.lang.String: 100
> >
> >
> > This is the complete log entry.Looks like its a hack attempt trying to
post
> > some data to the server ?
> > Please advice on the possible fix.
>
> But this is only visible in devMode, it isn't an issue.
>
> Regards
Sorry,this is an issue from production,where already dev mode is set to false
in the config files.
Log entry is from production.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-07-17 11:31 GMT+02:00 saikrishna <sa...@gmail.com>:
> 2014-04-18 05:23:12,320 ERROR ParametersInterceptor:34 - Developer
> Notification (set struts.devMode to false to disable this message):
> Unexpected Exception caught setting
> 'redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
> equest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.
> dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWrit
> er().flush(),#matt.getWriter().close()}' on 'class java.lang.String: 100
>
>
> This is the complete log entry.Looks like its a hack attempt trying to post
> some data to the server ?
> Please advice on the possible fix.
But this is only visible in devMode, it isn't an issue.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by saikrishna <sa...@gmail.com>.
Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> 2014-07-17 11:15 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> >
> >
> >
> > Lukasz Lenart <lukaszlenart <at> apache.org> writes:
> >
> >>
> >> This vulnerability was resolved in 2.3.15.1, more details here
> >> http://struts.apache.org/release/2.3.x/docs/s2-017.html
> >>
> >> For sure you must switch off devMode in production, thus has large
> >> impact on overall application performance
> >>
> >> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> >> > Hi Getting the below error.Looks like,somebody tried to attack our
> > application
> >> > with a redirect.Below is the log.Please advice.
> >> >
> >> > ParametersInterceptor:34 - Developer Notification (set struts.devMode
to
> > false
> >> > to disable this message):
> >> > Unexpected Exception caught setting
> >> >
> >
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
> > tR
> >> > esponse'),#res.setCharacterEncoding("UTF-8"
> >> >
> >
),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
> > ,#
> >> >
> >
res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
> > Se
> >> > r
> >> >
> >
vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
> > os
> >> > e()}' on 'class java.lang.String: 100
> >> >
> >> >
> >> > somebody trying to post something to the server with the redirect
url.
> >> >
> >> > Please suggest what should I do.
> >> >
> >> > Thanks
> >> >
> >> >
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
> >> > For additional commands, e-mail: user-help <at> struts.apache.org
> >> >
> >>
> >
> > Hi
> > Many thanks for the reply post.I am just wondering,we have already been
> > upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not
be
> > handling this kind of vulnerability by default ? What I mean,is
say,windows
> > 8 is an upgraded vesion of windows 7,What ever issues that were resolved
in
> > windows 7 must not appear again in windows 8 right ?
> >
> > Is it recommendable to go back to 2.3.15.1 ? (We have moved to 2.3.16.2
to
> > takle with other vulnerabilities)
> >
> > And we have already switched off devmode in production.Still we are
getting
> > the below error.
> >
> > Kindly advice.Appreciate the quick response.
>
> If you are using 2.3.16.2 you are safe, after disabling devMode what
> kind of error do you see in the logs?
> Can you post the whole log entry?
>
> Regards
2014-04-18 05:23:12,320 ERROR ParametersInterceptor:34 - Developer
Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting
'redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
equest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.
dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWrit
er().flush(),#matt.getWriter().close()}' on 'class java.lang.String: 100
This is the complete log entry.Looks like its a hack attempt trying to post
some data to the server ?
Please advice on the possible fix.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-07-17 11:15 GMT+02:00 saikrishna <sa...@gmail.com>:
>
>
>
> Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
>>
>> This vulnerability was resolved in 2.3.15.1, more details here
>> http://struts.apache.org/release/2.3.x/docs/s2-017.html
>>
>> For sure you must switch off devMode in production, thus has large
>> impact on overall application performance
>>
>> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
>> > Hi Getting the below error.Looks like,somebody tried to attack our
> application
>> > with a redirect.Below is the log.Please advice.
>> >
>> > ParametersInterceptor:34 - Developer Notification (set struts.devMode to
> false
>> > to disable this message):
>> > Unexpected Exception caught setting
>> >
> 'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
> tR
>> > esponse'),#res.setCharacterEncoding("UTF-8"
>> >
> ),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
> ,#
>> >
> res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
> Se
>> > r
>> >
> vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
> os
>> > e()}' on 'class java.lang.String: 100
>> >
>> >
>> > somebody trying to post something to the server with the redirect url.
>> >
>> > Please suggest what should I do.
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
>> > For additional commands, e-mail: user-help <at> struts.apache.org
>> >
>>
>
> Hi
> Many thanks for the reply post.I am just wondering,we have already been
> upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not be
> handling this kind of vulnerability by default ? What I mean,is say,windows
> 8 is an upgraded vesion of windows 7,What ever issues that were resolved in
> windows 7 must not appear again in windows 8 right ?
>
> Is it recommendable to go back to 2.3.15.1 ? (We have moved to 2.3.16.2 to
> takle with other vulnerabilities)
>
> And we have already switched off devmode in production.Still we are getting
> the below error.
>
> Kindly advice.Appreciate the quick response.
If you are using 2.3.16.2 you are safe, after disabling devMode what
kind of error do you see in the logs?
Can you post the whole log entry?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by saikrishna <sa...@gmail.com>.
Lukasz Lenart <lukaszlenart <at> apache.org> writes:
>
> This vulnerability was resolved in 2.3.15.1, more details here
> http://struts.apache.org/release/2.3.x/docs/s2-017.html
>
> For sure you must switch off devMode in production, thus has large
> impact on overall application performance
>
> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>:
> > Hi Getting the below error.Looks like,somebody tried to attack our
application
> > with a redirect.Below is the log.Please advice.
> >
> > ParametersInterceptor:34 - Developer Notification (set struts.devMode to
false
> > to disable this message):
> > Unexpected Exception caught setting
> >
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle
tR
> > esponse'),#res.setCharacterEncoding("UTF-8"
> >
),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')
,#
> >
res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get
Se
> > r
> >
vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl
os
> > e()}' on 'class java.lang.String: 100
> >
> >
> > somebody trying to post something to the server with the redirect url.
> >
> > Please suggest what should I do.
> >
> > Thanks
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org
> > For additional commands, e-mail: user-help <at> struts.apache.org
> >
>
Hi
Many thanks for the reply post.I am just wondering,we have already been
upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not be
handling this kind of vulnerability by default ? What I mean,is say,windows
8 is an upgraded vesion of windows 7,What ever issues that were resolved in
windows 7 must not appear again in windows 8 right ?
Is it recommendable to go back to 2.3.15.1 ? (We have moved to 2.3.16.2 to
takle with other vulnerabilities)
And we have already switched off devmode in production.Still we are getting
the below error.
Kindly advice.Appreciate the quick response.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: redirect vulnerability after upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
This vulnerability was resolved in 2.3.15.1, more details here
http://struts.apache.org/release/2.3.x/docs/s2-017.html
For sure you must switch off devMode in production, thus has large
impact on overall application performance
2014-07-16 17:28 GMT+02:00 saikrishna <sa...@gmail.com>:
> Hi Getting the below error.Looks like,somebody tried to attack our application
> with a redirect.Below is the log.Please advice.
>
> ParametersInterceptor:34 - Developer Notification (set struts.devMode to false
> to disable this message):
> Unexpected Exception caught setting
> 'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletR
> esponse'),#res.setCharacterEncoding("UTF-8"
> ),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#
> res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getSe
> r
> vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().clos
> e()}' on 'class java.lang.String: 100
>
>
> somebody trying to post something to the server with the redirect url.
>
> Please suggest what should I do.
>
> Thanks
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org