Hello, welcome to the Wednesday, March 29th, 2017 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

First, the correction about one story yesterday, I mentioned the webdaf exploit against IIS 6.

It has to run on Windows 2003. I guess I mentioned

2013. There is of course no Windows 2013. It has to be Windows 2003. Yes, very old versions.

The part you should be concerned about is old forgotten SharePoint servers.

The Apache Struts 2 vulnerability is still actively being exploited, so hopefully if you didn't manage to update your servers,

you deployed some form of mitigating controls maybe a web application firewall or an

IPS rule there is a real great blog post that came out yesterday that discusses this vulnerability

in detail it however also offers an alternative exploit vector that may not get detected by your current

rules.

So take a look at it and make sure that you are protected from this variant of the exploit,

because it can be as damaging as the original exploit.

The original exploit used the content type header in the request.

The new variant actually uses a multi-part request and then in the second part it does use the

content disposition header essentially to do the same

trick.

So fundamentally the same exploit, exploiting the same vulnerability, but a different form of

the exploit that may not get detected because you don't have the content type header

as you had in the original exploit.

The blog post also shows you what you will find in your logs.

If you are being hit by this exploit, you will see an exception being locked.

...