2014-07-17 11:15 GMT+02:00 saikrishna <saikrishnaad...@gmail.com>: > > > > Lukasz Lenart <lukaszlenart <at> apache.org> writes: > >> >> This vulnerability was resolved in 2.3.15.1, more details here >> http://struts.apache.org/release/2.3.x/docs/s2-017.html >> >> For sure you must switch off devMode in production, thus has large >> impact on overall application performance >> >> 2014-07-16 17:28 GMT+02:00 saikrishna <saikrishnaadivi <at> gmail.com>: >> > Hi Getting the below error.Looks like,somebody tried to attack our > application >> > with a redirect.Below is the log.Please advice. >> > >> > ParametersInterceptor:34 - Developer Notification (set struts.devMode to > false >> > to disable this message): >> > Unexpected Exception caught setting >> > > 'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServle > tR >> > esponse'),#res.setCharacterEncoding("UTF-8" >> > > ),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest') > ,# >> > > res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().get > Se >> > r >> > > vletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().cl > os >> > e()}' on 'class java.lang.String: 100 >> > >> > >> > somebody trying to post something to the server with the redirect url. >> > >> > Please suggest what should I do. >> > >> > Thanks >> > >> > >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: user-unsubscribe <at> struts.apache.org >> > For additional commands, e-mail: user-help <at> struts.apache.org >> > >> > > Hi > Many thanks for the reply post.I am just wondering,we have already been > upgraded to later version of 2.3.15.1 which is 2.3.16.2.Should this not be > handling this kind of vulnerability by default ? What I mean,is say,windows > 8 is an upgraded vesion of windows 7,What ever issues that were resolved in > windows 7 must not appear again in windows 8 right ? > > Is it recommendable to go back to 2.3.15.1 ? (We have moved to 2.3.16.2 to > takle with other vulnerabilities) > > And we have already switched off devmode in production.Still we are getting > the below error. > > Kindly advice.Appreciate the quick response.
If you are using 2.3.16.2 you are safe, after disabling devMode what kind of error do you see in the logs? Can you post the whole log entry? Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
