Struts 1.x

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Struts 1.x

Darius Opensource-2
It might be prudent to use ParamWrapperFilter.

https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111

There is a proof of concept exploit in the wild that any script kiddie
could use and, yes, arbitrary code execution.

I could be wrong but there appears to be a potential entry vector in
Oscar itself but for it to exploitable, it depends on the Tomcat
version.

Apologies if we are already using ParamWrapperFilter or similar.


Darius.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Luiz Rufato
Thank you Darius.


This is from 2014, any chance of this affect modern servers? Debian-like
projects, like Ubuntu, are very serious about this kind of stuff?
Do you tested it?

Luiz.


Em 30-05-2017 22:56, Darius escreveu:

> It might be prudent to use ParamWrapperFilter.
>
> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>
> There is a proof of concept exploit in the wild that any script kiddie
> could use and, yes, arbitrary code execution.
>
> I could be wrong but there appears to be a potential entry vector in
> Oscar itself but for it to exploitable, it depends on the Tomcat
> version.
>
> Apologies if we are already using ParamWrapperFilter or similar.
>
>
> Darius.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Darius Opensource-2
In reply to this post by Darius Opensource-2
Yes, I did test the exploit on Oscar.
Without giving too much away, I would suggest staying with Tomcat 7 for now.

I am afraid that the issue is independent of Debian and Ubuntu.
Oscar is dependent on Struts 1.x to support legacy code.


Darius


On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:

> Thank you Darius.
>
>
> This is from 2014, any chance of this affect modern servers? Debian-like
> projects, like Ubuntu, are very serious about this kind of stuff?
> Do you tested it?
>
> Luiz.
>
>
> Em 30-05-2017 22:56, Darius escreveu:
>>
>> It might be prudent to use ParamWrapperFilter.
>>
>>
>> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>>
>> There is a proof of concept exploit in the wild that any script kiddie
>> could use and, yes, arbitrary code execution.
>>
>> I could be wrong but there appears to be a potential entry vector in
>> Oscar itself but for it to exploitable, it depends on the Tomcat
>> version.
>>
>> Apologies if we are already using ParamWrapperFilter or similar.
>>
>>
>> Darius.
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Colcamex Resources Inc.
Thank you Darius.  It’s unfortunate that you have no other method to share your findings with us. 

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:

Yes, I did test the exploit on Oscar.
Without giving too much away, I would suggest staying with Tomcat 7 for now.

I am afraid that the issue is independent of Debian and Ubuntu.
Oscar is dependent on Struts 1.x to support legacy code.


Darius


On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
Thank you Darius.


This is from 2014, any chance of this affect modern servers? Debian-like
projects, like Ubuntu, are very serious about this kind of stuff?
Do you tested it?

Luiz.


Em 30-05-2017 22:56, Darius escreveu:

It might be prudent to use ParamWrapperFilter.


https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111

There is a proof of concept exploit in the wild that any script kiddie
could use and, yes, arbitrary code execution.

I could be wrong but there appears to be a potential entry vector in
Oscar itself but for it to exploitable, it depends on the Tomcat
version.

Apologies if we are already using ParamWrapperFilter or similar.


Darius.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Dennis Antrobus
Building on Dennis Warren’s comment, perhaps there’s now a need for an Oscar security mailing list that is not publicly viewable to discuss matters such as these, without worrying about divulging too much information ?

Dennis.




On May 31, 2017, at 2:39 AM, Colcamex Resources Inc. <[hidden email]> wrote:

Thank you Darius.  It’s unfortunate that you have no other method to share your findings with us. 

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:

Yes, I did test the exploit on Oscar.
Without giving too much away, I would suggest staying with Tomcat 7 for now.

I am afraid that the issue is independent of Debian and Ubuntu.
Oscar is dependent on Struts 1.x to support legacy code.


Darius


On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
Thank you Darius.


This is from 2014, any chance of this affect modern servers? Debian-like
projects, like Ubuntu, are very serious about this kind of stuff?
Do you tested it?

Luiz.


Em 30-05-2017 22:56, Darius escreveu:

It might be prudent to use ParamWrapperFilter.


https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111

There is a proof of concept exploit in the wild that any script kiddie
could use and, yes, arbitrary code execution.

I could be wrong but there appears to be a potential entry vector in
Oscar itself but for it to exploitable, it depends on the Tomcat
version.

Apologies if we are already using ParamWrapperFilter or similar.


Darius.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Dennis Antrobus
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Peter Hutten-Czapski-2
Security vulnerabilities come up infrequently
I thanks people for their discression not to specify how to hack OSCAR on this publically accessible list

If you have security concerns best practices would be to mention details to oscar-emr directly or to the current technical committee chair (me) off list.
We have limited resources but security is high priority for us.

Unless Oscar-emr knows of the problem, it can't be fixed

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
Building on Dennis Warren’s comment, perhaps there’s now a need for an Oscar security mailing list that is not publicly viewable to discuss matters such as these, without worrying about divulging too much information ?

Dennis.




On May 31, 2017, at 2:39 AM, Colcamex Resources Inc. <[hidden email]> wrote:

Thank you Darius.  It’s unfortunate that you have no other method to share your findings with us. 

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:

Yes, I did test the exploit on Oscar.
Without giving too much away, I would suggest staying with Tomcat 7 for now.

I am afraid that the issue is independent of Debian and Ubuntu.
Oscar is dependent on Struts 1.x to support legacy code.


Darius


On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
Thank you Darius.


This is from 2014, any chance of this affect modern servers? Debian-like
projects, like Ubuntu, are very serious about this kind of stuff?
Do you tested it?

Luiz.


Em 30-05-2017 22:56, Darius escreveu:

It might be prudent to use ParamWrapperFilter.


https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111

There is a proof of concept exploit in the wild that any script kiddie
could use and, yes, arbitrary code execution.

I could be wrong but there appears to be a potential entry vector in
Oscar itself but for it to exploitable, it depends on the Tomcat
version.

Apologies if we are already using ParamWrapperFilter or similar.


Darius.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Marc Dumontier
Thanks Guys,

Trying out the filter.


On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski <[hidden email]> wrote:
Security vulnerabilities come up infrequently
I thanks people for their discression not to specify how to hack OSCAR on this publically accessible list

If you have security concerns best practices would be to mention details to oscar-emr directly or to the current technical committee chair (me) off list.
We have limited resources but security is high priority for us.

Unless Oscar-emr knows of the problem, it can't be fixed

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
Building on Dennis Warren’s comment, perhaps there’s now a need for an Oscar security mailing list that is not publicly viewable to discuss matters such as these, without worrying about divulging too much information ?

Dennis.




On May 31, 2017, at 2:39 AM, Colcamex Resources Inc. <[hidden email]> wrote:

Thank you Darius.  It’s unfortunate that you have no other method to share your findings with us. 

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:

Yes, I did test the exploit on Oscar.
Without giving too much away, I would suggest staying with Tomcat 7 for now.

I am afraid that the issue is independent of Debian and Ubuntu.
Oscar is dependent on Struts 1.x to support legacy code.


Darius


On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
Thank you Darius.


This is from 2014, any chance of this affect modern servers? Debian-like
projects, like Ubuntu, are very serious about this kind of stuff?
Do you tested it?

Luiz.


Em 30-05-2017 22:56, Darius escreveu:

It might be prudent to use ParamWrapperFilter.


https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111

There is a proof of concept exploit in the wild that any script kiddie
could use and, yes, arbitrary code execution.

I could be wrong but there appears to be a potential entry vector in
Oscar itself but for it to exploitable, it depends on the Tomcat
version.

Apologies if we are already using ParamWrapperFilter or similar.


Darius.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Darius Opensource-2
In reply to this post by Darius Opensource-2
Thanks for considering the suggestion, Mr. Dumontier.

If you are interested in verifying the entry vector, will send details.


Darius


On Wed, May 31, 2017 at 1:00 PM, Marc Dumontier <[hidden email]> wrote:

> Thanks Guys,
>
> Trying out the filter.
>
>
> On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski
> <[hidden email]> wrote:
>>
>> Security vulnerabilities come up infrequently
>> I thanks people for their discression not to specify how to hack OSCAR on
>> this publically accessible list
>>
>> If you have security concerns best practices would be to mention details
>> to oscar-emr directly or to the current technical committee chair (me) off
>> list.
>> We have limited resources but security is high priority for us.
>>
>> Unless Oscar-emr knows of the problem, it can't be fixed
>>
>> ================
>> Peter Hutten-Czapski
>> Haileybury Ontario
>>
>> "The attitude that ‘if rural people want these services they’ll have to
>> come to the city to get them’ is simply not acceptable…” (Newbery, 1999)
>>
>> Before printing, think about the environment. Avant d' imprimer, pensez à
>> l'environnement.
>>
>> On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
>>>
>>> Building on Dennis Warren’s comment, perhaps there’s now a need for an
>>> Oscar security mailing list that is not publicly viewable to discuss matters
>>> such as these, without worrying about divulging too much information ?
>>>
>>> Dennis.
>>>
>>>
>>>
>>>
>>> On May 31, 2017, at 2:39 AM, Colcamex Resources Inc.
>>> <[hidden email]> wrote:
>>>
>>> Thank you Darius.  It’s unfortunate that you have no other method to
>>> share your findings with us.
>>>
>>> ________
>>>
>>> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
>>> Vancouver Island:  www.eply.com/oscarconvancouverisland
>>> Vancouver:  www.eply.com/oscarconvancouver
>>> ________
>>>
>>> Dennis Warren
>>> Consultant
>>> Colcamex Resources
>>> [hidden email]
>>> 778.386.9264
>>>
>>> On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:
>>>
>>> Yes, I did test the exploit on Oscar.
>>> Without giving too much away, I would suggest staying with Tomcat 7 for
>>> now.
>>>
>>> I am afraid that the issue is independent of Debian and Ubuntu.
>>> Oscar is dependent on Struts 1.x to support legacy code.
>>>
>>>
>>> Darius
>>>
>>>
>>> On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
>>>
>>> Thank you Darius.
>>>
>>>
>>> This is from 2014, any chance of this affect modern servers? Debian-like
>>> projects, like Ubuntu, are very serious about this kind of stuff?
>>> Do you tested it?
>>>
>>> Luiz.
>>>
>>>
>>> Em 30-05-2017 22:56, Darius escreveu:
>>>
>>>
>>> It might be prudent to use ParamWrapperFilter.
>>>
>>>
>>>
>>> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>>>
>>> There is a proof of concept exploit in the wild that any script kiddie
>>> could use and, yes, arbitrary code execution.
>>>
>>> I could be wrong but there appears to be a potential entry vector in
>>> Oscar itself but for it to exploitable, it depends on the Tomcat
>>> version.
>>>
>>> Apologies if we are already using ParamWrapperFilter or similar.
>>>
>>>
>>> Darius.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>
>
>
>
> --
> Marc Dumontier
> 519-584-5601
> http://www.hxb.ca
> http://www.oscarmcmaster.org
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Colcamex Resources Inc.

Thank you Muki for your bravery to come forward with this. 

Thank you Darius. 

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 31, 2017, at 10:23 AM, Darius <[hidden email]> wrote:

Thanks for considering the suggestion, Mr. Dumontier.

If you are interested in verifying the entry vector, will send details.


Darius


On Wed, May 31, 2017 at 1:00 PM, Marc Dumontier <[hidden email]> wrote:
Thanks Guys,

Trying out the filter.


On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski
<[hidden email]> wrote:

Security vulnerabilities come up infrequently
I thanks people for their discression not to specify how to hack OSCAR on
this publically accessible list

If you have security concerns best practices would be to mention details
to oscar-emr directly or to the current technical committee chair (me) off
list.
We have limited resources but security is high priority for us.

Unless Oscar-emr knows of the problem, it can't be fixed

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to
come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à
l'environnement.

On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:

Building on Dennis Warren’s comment, perhaps there’s now a need for an
Oscar security mailing list that is not publicly viewable to discuss matters
such as these, without worrying about divulging too much information ?

Dennis.




On May 31, 2017, at 2:39 AM, Colcamex Resources Inc.
<[hidden email]> wrote:

Thank you Darius.  It’s unfortunate that you have no other method to
share your findings with us.

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:

Yes, I did test the exploit on Oscar.
Without giving too much away, I would suggest staying with Tomcat 7 for
now.

I am afraid that the issue is independent of Debian and Ubuntu.
Oscar is dependent on Struts 1.x to support legacy code.


Darius


On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:

Thank you Darius.


This is from 2014, any chance of this affect modern servers? Debian-like
projects, like Ubuntu, are very serious about this kind of stuff?
Do you tested it?

Luiz.


Em 30-05-2017 22:56, Darius escreveu:


It might be prudent to use ParamWrapperFilter.



https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111

There is a proof of concept exploit in the wild that any script kiddie
could use and, yes, arbitrary code execution.

I could be wrong but there appears to be a potential entry vector in
Oscar itself but for it to exploitable, it depends on the Tomcat
version.

Apologies if we are already using ParamWrapperFilter or similar.


Darius.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
Marc Dumontier
519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Marc Dumontier
In reply to this post by Darius Opensource-2
Sure, if it's easy for me to do execute it.

The application seems to work fine with the filter there. I'll put it up on bitbucket shortly.


On Wed, May 31, 2017 at 1:23 PM, Darius <[hidden email]> wrote:
Thanks for considering the suggestion, Mr. Dumontier.

If you are interested in verifying the entry vector, will send details.


Darius


On Wed, May 31, 2017 at 1:00 PM, Marc Dumontier <[hidden email]> wrote:
> Thanks Guys,
>
> Trying out the filter.
>
>
> On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski
> <[hidden email]> wrote:
>>
>> Security vulnerabilities come up infrequently
>> I thanks people for their discression not to specify how to hack OSCAR on
>> this publically accessible list
>>
>> If you have security concerns best practices would be to mention details
>> to oscar-emr directly or to the current technical committee chair (me) off
>> list.
>> We have limited resources but security is high priority for us.
>>
>> Unless Oscar-emr knows of the problem, it can't be fixed
>>
>> ================
>> Peter Hutten-Czapski
>> Haileybury Ontario
>>
>> "The attitude that ‘if rural people want these services they’ll have to
>> come to the city to get them’ is simply not acceptable…” (Newbery, 1999)
>>
>> Before printing, think about the environment. Avant d' imprimer, pensez à
>> l'environnement.
>>
>> On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
>>>
>>> Building on Dennis Warren’s comment, perhaps there’s now a need for an
>>> Oscar security mailing list that is not publicly viewable to discuss matters
>>> such as these, without worrying about divulging too much information ?
>>>
>>> Dennis.
>>>
>>>
>>>
>>>
>>> On May 31, 2017, at 2:39 AM, Colcamex Resources Inc.
>>> <[hidden email]> wrote:
>>>
>>> Thank you Darius.  It’s unfortunate that you have no other method to
>>> share your findings with us.
>>>
>>> ________
>>>
>>> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
>>> Vancouver Island:  www.eply.com/oscarconvancouverisland
>>> Vancouver:  www.eply.com/oscarconvancouver
>>> ________
>>>
>>> Dennis Warren
>>> Consultant
>>> Colcamex Resources
>>> [hidden email]
>>> <a href="tel:778.386.9264" value="+17783869264">778.386.9264
>>>
>>> On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:
>>>
>>> Yes, I did test the exploit on Oscar.
>>> Without giving too much away, I would suggest staying with Tomcat 7 for
>>> now.
>>>
>>> I am afraid that the issue is independent of Debian and Ubuntu.
>>> Oscar is dependent on Struts 1.x to support legacy code.
>>>
>>>
>>> Darius
>>>
>>>
>>> On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
>>>
>>> Thank you Darius.
>>>
>>>
>>> This is from 2014, any chance of this affect modern servers? Debian-like
>>> projects, like Ubuntu, are very serious about this kind of stuff?
>>> Do you tested it?
>>>
>>> Luiz.
>>>
>>>
>>> Em 30-05-2017 22:56, Darius escreveu:
>>>
>>>
>>> It might be prudent to use ParamWrapperFilter.
>>>
>>>
>>>
>>> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>>>
>>> There is a proof of concept exploit in the wild that any script kiddie
>>> could use and, yes, arbitrary code execution.
>>>
>>> I could be wrong but there appears to be a potential entry vector in
>>> Oscar itself but for it to exploitable, it depends on the Tomcat
>>> version.
>>>
>>> Apologies if we are already using ParamWrapperFilter or similar.
>>>
>>>
>>> Darius.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>
>
>
>
> --
> Marc Dumontier
> <a href="tel:519-584-5601" value="+15195845601">519-584-5601
> http://www.hxb.ca
> http://www.oscarmcmaster.org
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 1.x

Marc Dumontier
commit is in this branch OSCAREMR-6183-cve-2014-0114-struts-1x-cl


On Wed, May 31, 2017 at 2:27 PM, Marc Dumontier <[hidden email]> wrote:
Sure, if it's easy for me to do execute it.

The application seems to work fine with the filter there. I'll put it up on bitbucket shortly.


On Wed, May 31, 2017 at 1:23 PM, Darius <[hidden email]> wrote:
Thanks for considering the suggestion, Mr. Dumontier.

If you are interested in verifying the entry vector, will send details.


Darius


On Wed, May 31, 2017 at 1:00 PM, Marc Dumontier <[hidden email]> wrote:
> Thanks Guys,
>
> Trying out the filter.
>
>
> On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski
> <[hidden email]> wrote:
>>
>> Security vulnerabilities come up infrequently
>> I thanks people for their discression not to specify how to hack OSCAR on
>> this publically accessible list
>>
>> If you have security concerns best practices would be to mention details
>> to oscar-emr directly or to the current technical committee chair (me) off
>> list.
>> We have limited resources but security is high priority for us.
>>
>> Unless Oscar-emr knows of the problem, it can't be fixed
>>
>> ================
>> Peter Hutten-Czapski
>> Haileybury Ontario
>>
>> "The attitude that ‘if rural people want these services they’ll have to
>> come to the city to get them’ is simply not acceptable…” (Newbery, 1999)
>>
>> Before printing, think about the environment. Avant d' imprimer, pensez à
>> l'environnement.
>>
>> On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
>>>
>>> Building on Dennis Warren’s comment, perhaps there’s now a need for an
>>> Oscar security mailing list that is not publicly viewable to discuss matters
>>> such as these, without worrying about divulging too much information ?
>>>
>>> Dennis.
>>>
>>>
>>>
>>>
>>> On May 31, 2017, at 2:39 AM, Colcamex Resources Inc.
>>> <[hidden email]> wrote:
>>>
>>> Thank you Darius.  It’s unfortunate that you have no other method to
>>> share your findings with us.
>>>
>>> ________
>>>
>>> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
>>> Vancouver Island:  www.eply.com/oscarconvancouverisland
>>> Vancouver:  www.eply.com/oscarconvancouver
>>> ________
>>>
>>> Dennis Warren
>>> Consultant
>>> Colcamex Resources
>>> [hidden email]
>>> <a href="tel:778.386.9264" value="+17783869264" target="_blank">778.386.9264
>>>
>>> On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:
>>>
>>> Yes, I did test the exploit on Oscar.
>>> Without giving too much away, I would suggest staying with Tomcat 7 for
>>> now.
>>>
>>> I am afraid that the issue is independent of Debian and Ubuntu.
>>> Oscar is dependent on Struts 1.x to support legacy code.
>>>
>>>
>>> Darius
>>>
>>>
>>> On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
>>>
>>> Thank you Darius.
>>>
>>>
>>> This is from 2014, any chance of this affect modern servers? Debian-like
>>> projects, like Ubuntu, are very serious about this kind of stuff?
>>> Do you tested it?
>>>
>>> Luiz.
>>>
>>>
>>> Em 30-05-2017 22:56, Darius escreveu:
>>>
>>>
>>> It might be prudent to use ParamWrapperFilter.
>>>
>>>
>>>
>>> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>>>
>>> There is a proof of concept exploit in the wild that any script kiddie
>>> could use and, yes, arbitrary code execution.
>>>
>>> I could be wrong but there appears to be a potential entry vector in
>>> Oscar itself but for it to exploitable, it depends on the Tomcat
>>> version.
>>>
>>> Apologies if we are already using ParamWrapperFilter or similar.
>>>
>>>
>>> Darius.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>
>
>
>
> --
> Marc Dumontier
> <a href="tel:519-584-5601" value="+15195845601" target="_blank">519-584-5601
> http://www.hxb.ca
> http://www.oscarmcmaster.org
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



--
Marc Dumontier
<a href="tel:(519)%20584-5601" value="+15195845601" target="_blank">519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org




--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SPAM? Re: Struts 1.x

Peter Hutten-Czapski-2
#626 won't build in Jenkins

[ERROR] COMPILATION ERROR :
[INFO] ------------------------------------------------------------- [ERROR] /var/lib/jenkins/workspace/oscar-stable/src/test/java/org/oscarehr/dashboard/handler/IndicatorTemplateXMLTest.java:[34,36] error: cannot find symbol [ERROR] symbol: class Assert location: package org.eclipse.jdt.internal.core /var/lib/jenkins/workspace/oscar-stable/src/test/java/org/oscarehr/dashboard/handler/IndicatorTemplateXMLTest.java:[122,2] error: cannot find symbol [ERROR] symbol: variable Assert location: class IndicatorTemplateXMLTest /var/lib/jenkins/workspace/oscar-stable/src/test/java/org/oscarehr/dashboard/handler/IndicatorTemplateXMLTest.java:[137,2] error: cannot find symbol [INFO] 3 errors [INFO] ------------------------------------------------------------- [JENKINS] Archiving disabled [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 31 May 2017 at 14:31, Marc Dumontier <[hidden email]> wrote:
commit is in this branch OSCAREMR-6183-cve-2014-0114-struts-1x-cl


On Wed, May 31, 2017 at 2:27 PM, Marc Dumontier <[hidden email]> wrote:
Sure, if it's easy for me to do execute it.

The application seems to work fine with the filter there. I'll put it up on bitbucket shortly.


On Wed, May 31, 2017 at 1:23 PM, Darius <[hidden email]> wrote:
Thanks for considering the suggestion, Mr. Dumontier.

If you are interested in verifying the entry vector, will send details.


Darius


On Wed, May 31, 2017 at 1:00 PM, Marc Dumontier <[hidden email]> wrote:
> Thanks Guys,
>
> Trying out the filter.
>
>
> On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski
> <[hidden email]> wrote:
>>
>> Security vulnerabilities come up infrequently
>> I thanks people for their discression not to specify how to hack OSCAR on
>> this publically accessible list
>>
>> If you have security concerns best practices would be to mention details
>> to oscar-emr directly or to the current technical committee chair (me) off
>> list.
>> We have limited resources but security is high priority for us.
>>
>> Unless Oscar-emr knows of the problem, it can't be fixed
>>
>> ================
>> Peter Hutten-Czapski
>> Haileybury Ontario
>>
>> "The attitude that ‘if rural people want these services they’ll have to
>> come to the city to get them’ is simply not acceptable…” (Newbery, 1999)
>>
>> Before printing, think about the environment. Avant d' imprimer, pensez à
>> l'environnement.
>>
>> On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
>>>
>>> Building on Dennis Warren’s comment, perhaps there’s now a need for an
>>> Oscar security mailing list that is not publicly viewable to discuss matters
>>> such as these, without worrying about divulging too much information ?
>>>
>>> Dennis.
>>>
>>>
>>>
>>>
>>> On May 31, 2017, at 2:39 AM, Colcamex Resources Inc.
>>> <[hidden email]> wrote:
>>>
>>> Thank you Darius.  It’s unfortunate that you have no other method to
>>> share your findings with us.
>>>
>>> ________
>>>
>>> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
>>> Vancouver Island:  www.eply.com/oscarconvancouverisland
>>> Vancouver:  www.eply.com/oscarconvancouver
>>> ________
>>>
>>> Dennis Warren
>>> Consultant
>>> Colcamex Resources
>>> [hidden email]
>>> <a href="tel:778.386.9264" value="+17783869264" target="_blank">778.386.9264
>>>
>>> On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:
>>>
>>> Yes, I did test the exploit on Oscar.
>>> Without giving too much away, I would suggest staying with Tomcat 7 for
>>> now.
>>>
>>> I am afraid that the issue is independent of Debian and Ubuntu.
>>> Oscar is dependent on Struts 1.x to support legacy code.
>>>
>>>
>>> Darius
>>>
>>>
>>> On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
>>>
>>> Thank you Darius.
>>>
>>>
>>> This is from 2014, any chance of this affect modern servers? Debian-like
>>> projects, like Ubuntu, are very serious about this kind of stuff?
>>> Do you tested it?
>>>
>>> Luiz.
>>>
>>>
>>> Em 30-05-2017 22:56, Darius escreveu:
>>>
>>>
>>> It might be prudent to use ParamWrapperFilter.
>>>
>>>
>>>
>>> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>>>
>>> There is a proof of concept exploit in the wild that any script kiddie
>>> could use and, yes, arbitrary code execution.
>>>
>>> I could be wrong but there appears to be a potential entry vector in
>>> Oscar itself but for it to exploitable, it depends on the Tomcat
>>> version.
>>>
>>> Apologies if we are already using ParamWrapperFilter or similar.
>>>
>>>
>>> Darius.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>
>
>
>
> --
> Marc Dumontier
> <a href="tel:519-584-5601" value="+15195845601" target="_blank">519-584-5601
> http://www.hxb.ca
> http://www.oscarmcmaster.org
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



--
Marc Dumontier
<a href="tel:(519)%20584-5601" value="+15195845601" target="_blank">519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org




--
Marc Dumontier
<a href="tel:(519)%20584-5601" value="+15195845601" target="_blank">519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SPAM? Re: Struts 1.x

Marc Dumontier
Geez, I thought for sure I did an rm -rf target/ before my compile.

I'll come back to it. It's just the test classes using the wrong Assert.


On Wed, May 31, 2017 at 3:14 PM, Peter Hutten-Czapski <[hidden email]> wrote:
#626 won't build in Jenkins

[ERROR] COMPILATION ERROR :
[INFO] ------------------------------------------------------------- [ERROR] /var/lib/jenkins/workspace/oscar-stable/src/test/java/org/oscarehr/dashboard/handler/IndicatorTemplateXMLTest.java:[34,36] error: cannot find symbol [ERROR] symbol: class Assert location: package org.eclipse.jdt.internal.core /var/lib/jenkins/workspace/oscar-stable/src/test/java/org/oscarehr/dashboard/handler/IndicatorTemplateXMLTest.java:[122,2] error: cannot find symbol [ERROR] symbol: variable Assert location: class IndicatorTemplateXMLTest /var/lib/jenkins/workspace/oscar-stable/src/test/java/org/oscarehr/dashboard/handler/IndicatorTemplateXMLTest.java:[137,2] error: cannot find symbol [INFO] 3 errors [INFO] ------------------------------------------------------------- [JENKINS] Archiving disabled [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 31 May 2017 at 14:31, Marc Dumontier <[hidden email]> wrote:
commit is in this branch OSCAREMR-6183-cve-2014-0114-struts-1x-cl


On Wed, May 31, 2017 at 2:27 PM, Marc Dumontier <[hidden email]> wrote:
Sure, if it's easy for me to do execute it.

The application seems to work fine with the filter there. I'll put it up on bitbucket shortly.


On Wed, May 31, 2017 at 1:23 PM, Darius <[hidden email]> wrote:
Thanks for considering the suggestion, Mr. Dumontier.

If you are interested in verifying the entry vector, will send details.


Darius


On Wed, May 31, 2017 at 1:00 PM, Marc Dumontier <[hidden email]> wrote:
> Thanks Guys,
>
> Trying out the filter.
>
>
> On Wed, May 31, 2017 at 11:33 AM, Peter Hutten-Czapski
> <[hidden email]> wrote:
>>
>> Security vulnerabilities come up infrequently
>> I thanks people for their discression not to specify how to hack OSCAR on
>> this publically accessible list
>>
>> If you have security concerns best practices would be to mention details
>> to oscar-emr directly or to the current technical committee chair (me) off
>> list.
>> We have limited resources but security is high priority for us.
>>
>> Unless Oscar-emr knows of the problem, it can't be fixed
>>
>> ================
>> Peter Hutten-Czapski
>> Haileybury Ontario
>>
>> "The attitude that ‘if rural people want these services they’ll have to
>> come to the city to get them’ is simply not acceptable…” (Newbery, 1999)
>>
>> Before printing, think about the environment. Avant d' imprimer, pensez à
>> l'environnement.
>>
>> On 31 May 2017 at 08:39, Dennis Antrobus <[hidden email]> wrote:
>>>
>>> Building on Dennis Warren’s comment, perhaps there’s now a need for an
>>> Oscar security mailing list that is not publicly viewable to discuss matters
>>> such as these, without worrying about divulging too much information ?
>>>
>>> Dennis.
>>>
>>>
>>>
>>>
>>> On May 31, 2017, at 2:39 AM, Colcamex Resources Inc.
>>> <[hidden email]> wrote:
>>>
>>> Thank you Darius.  It’s unfortunate that you have no other method to
>>> share your findings with us.
>>>
>>> ________
>>>
>>> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
>>> Vancouver Island:  www.eply.com/oscarconvancouverisland
>>> Vancouver:  www.eply.com/oscarconvancouver
>>> ________
>>>
>>> Dennis Warren
>>> Consultant
>>> Colcamex Resources
>>> [hidden email]
>>> <a href="tel:778.386.9264" value="+17783869264" target="_blank">778.386.9264
>>>
>>> On May 30, 2017, at 8:34 PM, Darius <[hidden email]> wrote:
>>>
>>> Yes, I did test the exploit on Oscar.
>>> Without giving too much away, I would suggest staying with Tomcat 7 for
>>> now.
>>>
>>> I am afraid that the issue is independent of Debian and Ubuntu.
>>> Oscar is dependent on Struts 1.x to support legacy code.
>>>
>>>
>>> Darius
>>>
>>>
>>> On Tue, May 30, 2017 at 10:34 PM, Luiz Rufato <[hidden email]> wrote:
>>>
>>> Thank you Darius.
>>>
>>>
>>> This is from 2014, any chance of this affect modern servers? Debian-like
>>> projects, like Ubuntu, are very serious about this kind of stuff?
>>> Do you tested it?
>>>
>>> Luiz.
>>>
>>>
>>> Em 30-05-2017 22:56, Darius escreveu:
>>>
>>>
>>> It might be prudent to use ParamWrapperFilter.
>>>
>>>
>>>
>>> https://community.saas.hpe.com/t5/Security-Research/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/250111
>>>
>>> There is a proof of concept exploit in the wild that any script kiddie
>>> could use and, yes, arbitrary code execution.
>>>
>>> I could be wrong but there appears to be a potential entry vector in
>>> Oscar itself but for it to exploitable, it depends on the Tomcat
>>> version.
>>>
>>> Apologies if we are already using ParamWrapperFilter or similar.
>>>
>>>
>>> Darius.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>
>
>
>
> --
> Marc Dumontier
> <a href="tel:519-584-5601" value="+15195845601" target="_blank">519-584-5601
> http://www.hxb.ca
> http://www.oscarmcmaster.org
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



--
Marc Dumontier
<a href="tel:(519)%20584-5601" value="+15195845601" target="_blank">519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org




--
Marc Dumontier
<a href="tel:(519)%20584-5601" value="+15195845601" target="_blank">519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Loading...