RCE in production server

voice kolai abhikaf at gmail.com
Fri Mar 10 00:57:45 EST 2017

Hello team,

This is pretty bad. The production web app is running as root and anyone
can get access to the system using recent apache struts 2 RCE in atlassian

proof of concept:
Run the given python file.


uid=0(root) gid=0(root) groups=0(root)

[cmd]>>uname -a

Linux e370b9fb4a9e 4.5.5-x86_64-linode69 #3 SMP Fri May 20 15:25:13 EDT
2016 x86_64 GNU/Linux

Although Atlassian messed up here, you guys shouldn't run the application
as root. :-)

I have contacted Atlassian as well regarding this issue.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170309/831cb718/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin.py
Type: text/x-python-script
Size: 1637 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170309/831cb718/attachment.bin>

More information about the security mailing list