I understand...
I'll try to use your patch, hoping I never have legal parameter in
the form of %{something}.
Il giorno 07/lug/07, alle ore 01:11, Musachy Barroso ha scritto:
That could prevent the infinite recursion, but not the remote
exploit, I
would still be able to pass this in:
/[EMAIL PROTECTED]@exit()
as a side note, this problem is not only tied to the tags and tag
attributes
as mentioned before, sometimes I have something like this in my action
mappings:
...
<result>someUrl.action&id=${id}</result>
...
where "id" is usually a parameter, which could also be exploited.
musachy
On 7/6/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
Please take a look at the jira issue.
I've uploaded a possibile nice solution.
I desperately :) need to know if there are some possibile problem to
use this on my site until a better solution is found.
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
