[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-user
Subject:    Re: How to determine if a Windows server is running Apache Struts?
From:       Sean Son <linuxmailinglistsemail () gmail ! com>
Date:       2017-09-07 3:47:01
Message-ID: CAOKpjz_Znf2KAYNk0tsH=z4GgONLk7AT1rCr+VBJ05xge1hksg () mail ! gmail ! com
[Download RAW message or body]


On Wed, Sep 6, 2017 at 7:56 PM, Ken McWilliams <ken.mcwilliams@gmail.com>
wrote:

> Programs can also be "exploded" (not in any type of zip file) so be sure to
> search all files in the normal filesystem as well. To test your script just
> create a couple zip files with some nested folders where you have placed
> some made up files either called "struts.xml" or "struts2-core-*.jar" to be
> sure that your script is able to identify them. If they don't find those,
> your script is unhappy!
>
> On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams <ken.mcwilliams@gmail.com>
> wrote:
>
> > Struts isn't a stand alone program but a framework, typically seen as
> > project dependency which supports web development on the JVM.
> >
> > I don't know the answer to 1) [although I will at the end go though the
> > process I would attempt to find such programs].
> >
> > 2) No. Struts2 [which is different code base from struts v1, and does not
> > share the same issues] is a Java Web Framework, it will run on any JEE
> > compliant web server, and will run on embedded web servers such as Jetty.
> >
> > 3) No. And the program list will not determine if the program uses the
> > struts framework.
> >
> > How I would attempt to determine the issue:
> >
> > Most programs will not have been obfuscated (which may make determining
> > this much harder).
> > Java applications are typically packaged as JAR, WAR, or EAR. These are
> > all just zip files. I would automate the process to scan for all such
> > files, open them recursively travel their internal folder structure and
> > search for either struts.xml OR struts2-core-*.jar where "*" is a version
> > number, and accumulate all such files and or paths to these files into a
> > plain text document and then check them by hand [to determine the version
> > of struts, and determine if it has the security exploit and/or is
> > exploitable (if it is isn't accessible to the outside world generally it
> > isn't a concern, of course this depends company size and the nature of
> what
> > is being secured)]. Some assumptions could be made about the internal
> > project structure that could save a great deal of time but because of
> build
> > differences these shortcuts (assuming what folder libraries are stored
> in)
> > could cause you to miss something so it is probably best to just search
> > everything.
> >
> > On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <linuxmailinglistsemail@gmail.
> com
> > > wrote:
> >
> >> Hello all
> >>
> >> I am new to the mailing list as well as new to Apache Struts.  We all
> >> heard
> >> in the news about the vulnerability affecting Apache Struts. I have been
> >> tasked to determine which of our servers have Struts running on them.  I
> >> have a few questions on how to determine if a server is running Struts
> or
> >> not:
> >>
> >> 1) How does one determine if a Windows server, running IIS, has the
> Apache
> >> Struts framework installed on it?
> >>
> >> 2) Does Apache Struts only run on Apache Webserver and Tomcat?
> >>
> >> 3) Is there a simple way to determine if a server has Struts installed,
> >> instead of logging into each of the servers and checking the programs
> >> list?
> >>
> >>
> >> I appreciate ALL help!
> >>
> >>
> >> Thanks
> >>
> >> Sean
> >>
> >
> >
> >
> > --
> > Sent from my C64 using a 300 baud modem
> >
>
>
>
> --
> Sent from my C64 using a 300 baud modem
>


Thank you for your reply.  Do you know what script should be used for
Windows servers to check for Struts?  I am not a Windows Admin, so any
guidance will be greatly appreciated!


Thanks


[prev in list] [next in list] [prev in thread] [next in thread]