CVE-2014-0094 - Base QualysGuard is already updated with this vulnerability?
QID 12939 is in production.
Title: Apache Struts ClassLoader Manipulation Security Bypass Vulnerability (S2-020, S2-021)
Any hints for leveraging this QID? I am scanning servers that I know are running the vulnerable version of struts, and none of them are reporting the vulnerability. Do I need to specify the URL for the application somewhere? Will the detection work with a redirection? Example:
http://server/ redirects to http://www.someapplication.com. Will the detection work if someapplication.com us running the vulnerable struts version?
Thanks for any advise.
We are experiencing the same problems. Here's what Qualys sent back when a ticket was made:
"Looking at QID 12939, the detection is looking struts information in couple of the default folder such as /, /struts/, /struts2/. Additionally, it will also search for index.action file or any file containing .action. We are not able to crawl the folder unfortunately, so it should be the reason that you are experiencing false negative in detection."
Within VM the scanner is designed to find vulnerabilities in known applications. It will not run a full web crawler against the target web application similar to a dedicated web application scanner. For Struts vulnerability detection the VM scanner looks for the first .action file in the default web page and launches detection probes against it. The VM scanner also checks if Struts installed example files (like HelloWorld.action and others) are on the target. If the .action file is not found in the default webpage then the VM scanner will not be able to detect vulnerabilities in custom web applications that are based on the Struts framework. This will result in false negatives. The most accurate way to scan for Struts vulnerabilities is with the Qualys WAS product.
The Qualys WAS scanner is able to run a full web crawler against the target web applications and find <any>.action filename in any location not limited to the default location or default webpage. The payload is then delivered to the URL with a file that ends in .action and it uses a specific test to find vulnerable Struts. This is a very accurate detection method and again the most accurate way to detect Apache Struts vulnerabilities.
The new WAS QID is 150127
150127 will cover the following CVEs:
Retrieving data ...