Struts2 远程漏洞（国外英文资料）.doc

Struts2 远程漏洞（国外英文资料） I was curious yesterday when Mr. Cheng mentioned the flaws in the struts2 when we developed the MVC pattern. So, today were going to do the struts2 Come out and show you, its a long experience. Read a piece of news first, and understand the severity of the vulnerability. The safety guard pointed out that Struts2 was exposed to significant remote and arbitrary code to perform security vulnerabilities and affect the Struts2 full system version. As for the risk of this kind of prism, many big Internet companies have the vulnerability, and they are still expanding. At the same time, the exploit code has been enhanced to perform arbitrary operations on the server directly through the browsers submission and get sensitive content. At present, the security users can rest easy. It is also recommended that users who use the Struts open source framework to join the security cloud as soon as possible to protect the site from vulnerabilities. The struts 2 holes in first intercepted by net AnQuanBao its attack, loophole involving Struts2.0 and above version, is a remote command execution vulnerability and open to redirect. Using vulnerabilities, hackers can launch remote attacks that can steal data from websites and even gain control of the sites servers. And in view of the automation tools began to appear the vulnerability, an attacker without have vulnerabilities related professional knowledge into server, execute the command operation directly, steal data or even destructive operation. AnQuanBao Wu Hanqing joint products vice President pointed out: Struts 2 is a help Java developers using j2ee development of Web application development framework, as the underlying generic template of website development, in the large Internet companies, widely used in the construction of the government, financial institutions and other website. As a result, the Struts 2 remote execution vulnerability, threat will be lots of dimensions website. Now, open source framework