公司项目被扫出来一个Druid未授权访问漏洞

 

 

这不是阿里druid的监控页面吗?接下来查看项目配置

1、在web.xml中有如下配置:

<filter>

        <filter-name>DruidWebStatFilter</filter-name>

        <filter-class>com.alibaba.druid.support.http.WebStatFilter</filter-class>

        <init-param>

            <param-name>exclusions</param-name>

            <param-value>*.js,*.gif,*.jpg,*.png,*.css,*.ico,/druid/*</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>DruidWebStatFilter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

 

    <servlet>

        <servlet-name>DruidStatView</servlet-name>

        <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>

    </servlet>

    <servlet-mapping>

        <servlet-name>DruidStatView</servlet-name>

        <url-pattern>/druid/*</url-pattern>

    </servlet-mapping>

2、解决方法:

2.1、最简单的直接将这段配置删掉或者注释掉;(DruidStatView)

2.2、添加用户密码管理,使访问该页面需要输入用户名密码,配置如下:

  <servlet>

        <servlet-name>DruidStatView</servlet-name>

        <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>

        <init-param>        

            <!-- 用户名 -->

            <param-name>loginUsername</param-name>

            <param-value>druid</param-value>

        </init-param>

        <init-param>

            <!-- 密码 -->

            <param-name>loginPassword</param-name>

            <param-value>druid</param-value>

        </init-param>

    </servlet>

    <servlet-mapping>

        <servlet-name>DruidStatView</servlet-name>

        <url-pattern>/druid/*</url-pattern>

    </servlet-mapping>



=
posted on 2021-09-17 11:05  云淡风轻博客  阅读(3026)  评论(0编辑  收藏  举报