Struts 2 development mode 漏洞
被这个漏洞害苦了,百度各种没找到答案 ,原来竟是自己粗心 ,升级struts时没有将web.xml里的这段代码删掉: <filter> <filter-name>struts2</filter-name> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>在升级struts时 需要在web.xml里添加如下代码: < filter > < filter-name > StrutsPrepareFilter </ filter-name > < filter-class > org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter </ filter-class > </ filter > < filter > < filter-name > StrutsExecuteFilter </ filter-name > < filter-class > org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter </ filter-class > </ filter > < filter-mapping > < filter-name > StrutsPrepareFilter </ filter-name > < url-pattern > /* </ url-pattern > </ filter-mapping > < filter-mapping > < filter-name > StrutsExecuteFilter </ filter-name > < url-pattern > /* </ url-pattern > </ filter-mapping > 此段代码就是用来替换上面那段代码的,如果没删掉上面那段代码,在用AWVS 扫描的时候就会一直出现Struts 2 development mode 这个高危漏洞。原来是从struts2.1.3开始ActionContextCleanUp 和 FilterDispatcher 已经不建议使用了。 将使用StrutsPrepareFilter和StrutsExecuteFilter替代