CVE-2015-5209

Hello, I know that Struts1 and 2 are completely different code bases, but I was wondering if the technique used by the exploit described in the CVE and https://struts.apache.org/docs/s2-026.html could possibly apply to a Struts 1 deployment? There is no references to a ValueStack in the

Re: CVE-2015-5209

Expressions aren't evaluated in S1; there is nothing like it I'm aware of. Dave On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote: > Hello, > > I know that Struts1 and 2 are completely different code bases, but I was > wondering if the technique used by the exploit

Re: CVE-2015-5209

Struts1 is completely safe to use since no OGNL involved, unfortunately people started misusing struts2 the way its easy to use, and its in a way to fix all the security holes found till now. -- Thanks & Regards Sreekanth S Nair Java Developer ---

Re: CVE-2015-5209

2015-10-06 21:04 GMT+02:00 David Gawron : > Hello, > > I know that Struts1 and 2 are completely different code bases, but I was > wondering if the technique used by the exploit described in the CVE and > https://struts.apache.org/docs/s2-026.html could possibly apply to a >

Re: CVE-2015-5209

Same as s2-025 from your ealier question. On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton wrote: > Expressions aren't evaluated in S1; there is nothing like it I'm aware of. > > Dave > > > On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote: > >> Hello, >>

Re: Strict Method Invocation

Am 05.10.2015 um 16:43 schrieb Volker Krebs: > Am 03.10.2015 um 09:35 schrieb Lukasz Lenart: >> Hi, >> >> I have updated docs about the latest SMI addition: >> >> https://cwiki.apache.org/confluence/display/WW/Security#Security-StrictMethodInvocation >>

Re: Strict Method Invocation

2015-10-06 11:46 GMT+02:00 Volker Krebs : > One thing, > when using extends the allowed-methods won't be merged. > Only the ones from action definition are used. > > E.g.: > >m1,m2 > > > > > ... > m3,m4 > > > > /app1/a1!m3.action is working. >