On Wed, Oct 13, 2010 at 10:37 AM, Caoilte O'Connor wrote:

> 1) =========================
> First of all, we are still using 2.0.x series Struts2. From what I can
> tell this means we are theoretically vulnerable to
>
> http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html


There's no "theory" involved; you're vulnerable to any of the tricks listed,
if you're running it stock.

However, although I have successfully reproduced CVE-2010-1870 on a
> Windows environment, I have been unable to reproduce it on any of our
> Linux environments. I don't understand why they would be immune to the
> attack and would be very interested in finding out if the attack
>

My guess would be JVM differences, but that's just a guess.


> 2) =========================
> Secondly, we haven't applied any "Freemarker" configuration settings
> as advised here
>
> http://struts.apache.org/2.0.14/docs/performance-tuning.html
>
> I think it was probably assumed that because we use JSP/Struts2 tags
> that there wouldn't be any Freemarker to configure.


Why would you think that? The default S2 tags are based *entirely* on
FreeMarker.


> i) Create a freemarker.properties file in your WEB-INF/classes directory.
> ii) enable Freemarker template caching
>
> Is that correct?
>

Yes, along with the other performance tuning tips listed.


> i) have quite a few custom interceptors and chains
> ii) make extensive use of most S: and SS: tags in jsp.
>

What are "ss" tags?

In any case, modulo a few config changes (the new filter being the primary
thing) most of your code should run un-altered, depending on what your code
actually does.

Dave

Reply via email to