[
https://issues.apache.org/struts/browse/WW-2692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=44688#action_44688
]
Rene Gielen commented on WW-2692:
---------------------------------
zengyunfeng,
as I stated in a former comment, Struts 2.0.11.2 comes with XWork 2.0.4 which
does not contain the latest fix. Upcoming Struts 2.0.11.3 or 2.0.12 will come
with the then released version 2.0.5 of XWork, which will contain the fix as it
is built from the current 2.0 SVN branch. If you want to fix your current
Struts 2.0.11.2 based project, you can build yourself a
xwork-2.0.5-SNAPSHOT.jar from the SVN checkout, and take it to replace the
xwork-2.0.4.jar that comes with the 2.0.11.2 distribution
> XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641)
> ----------------------------------------------------------------------
>
> Key: WW-2692
> URL: https://issues.apache.org/struts/browse/WW-2692
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7,
> 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.1.0, 2.1.1, 2.1.2
> Reporter: Rene Gielen
> Assignee: Rene Gielen
> Priority: Critical
> Fix For: 2.0.11.2, 2.1.3
>
>
> Meder Kydyraliev of the Google Security Team reported a vulnerability to the
> XWork team that allows attackers to bypass security measures implemented in
> ParametersInterceptor to inject OGNL expressions.
> Since XWork is the foundation of Struts2, this must be considered a Struts2
> vulnerability as well.
> For a full description, see
> http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
