There is another bypass of the excludeParams workaround. Test.action?class['classLoader'].resources......(snip)
I confirmed it works on struts 2.3.16. Plus, RCE exploits (for tomcat 8) using S2-020 were already disclosed. http://sec.baidu.com/index.php?research/detail/id/18 Therefore upgrading to the latest version is strongly recommended. Regards, -- Takeshi Terada _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
