On Wed, Oct 13, 2010 at 10:37 AM, Caoilte O'Connor wrote: > 1) ========================= > First of all, we are still using 2.0.x series Struts2. From what I can > tell this means we are theoretically vulnerable to > > http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html
There's no "theory" involved; you're vulnerable to any of the tricks listed, if you're running it stock. However, although I have successfully reproduced CVE-2010-1870 on a > Windows environment, I have been unable to reproduce it on any of our > Linux environments. I don't understand why they would be immune to the > attack and would be very interested in finding out if the attack > My guess would be JVM differences, but that's just a guess. > 2) ========================= > Secondly, we haven't applied any "Freemarker" configuration settings > as advised here > > http://struts.apache.org/2.0.14/docs/performance-tuning.html > > I think it was probably assumed that because we use JSP/Struts2 tags > that there wouldn't be any Freemarker to configure. Why would you think that? The default S2 tags are based *entirely* on FreeMarker. > i) Create a freemarker.properties file in your WEB-INF/classes directory. > ii) enable Freemarker template caching > > Is that correct? > Yes, along with the other performance tuning tips listed. > i) have quite a few custom interceptors and chains > ii) make extensive use of most S: and SS: tags in jsp. > What are "ss" tags? In any case, modulo a few config changes (the new filter being the primary thing) most of your code should run un-altered, depending on what your code actually does. Dave
