Hello,
I know that Struts1 and 2 are completely different code bases, but I was
wondering if the technique used by the exploit described in the CVE and
https://struts.apache.org/docs/s2-026.html could possibly apply to a
Struts 1 deployment? There is no references to a ValueStack in the
Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
Dave
On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit
Struts1 is completely safe to use since no OGNL involved, unfortunately
people started misusing struts2 the way its easy to use, and its in a way
to fix all the security holes found till now.
--
Thanks & Regards
Sreekanth S Nair
Java Developer
---
2015-10-06 21:04 GMT+02:00 David Gawron :
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
>
Same as s2-025 from your ealier question.
On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton wrote:
> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
>
>> Hello,
>>
Am 05.10.2015 um 16:43 schrieb Volker Krebs:
> Am 03.10.2015 um 09:35 schrieb Lukasz Lenart:
>> Hi,
>>
>> I have updated docs about the latest SMI addition:
>>
>> https://cwiki.apache.org/confluence/display/WW/Security#Security-StrictMethodInvocation
>>
2015-10-06 11:46 GMT+02:00 Volker Krebs :
> One thing,
> when using extends the allowed-methods won't be merged.
> Only the ones from action definition are used.
>
> E.g.:
>
>m1,m2
>
>
>
>
> ...
> m3,m4
>
>
>
> /app1/a1!m3.action is working.
>
7 matches
Mail list logo