Re: Struts 2.3.31 is excluding generic object.

2017-03-12 18:48 GMT+01:00 Yasser Zamani : >> This is strange, this can only happen if you used OGNL 3.1.14 or >> 3.0.20 [1] but this wasn't part of Struts 2.3.32 > Don't worry Lukasz , it was not about #context accessibility; OGNL > successfully compiles and goes forward until > `javax.servlet.htt

Re: Struts 2.3.31 is excluding generic object.

On 3/12/2017 8:21 PM, Lukasz Lenart wrote: > 2017-03-12 15:57 GMT+01:00 Yasser Zamani : >> Hi Anurag, >> >> I hope it's not too late but I have some comments. >> >> Today we updated to Struts2.3.32 to fix security issue S2-045. >> >> After that, similar to your problem, we lost following OGNL eva

Re: Struts 2.3.31 is excluding generic object.

2017-03-12 15:57 GMT+01:00 Yasser Zamani : > Hi Anurag, > > I hope it's not too late but I have some comments. > > Today we updated to Struts2.3.32 to fix security issue S2-045. > > After that, similar to your problem, we lost following OGNL evaluation > to null in our JSPs :( > > "%{#context['com.

Re: Struts 2.3.31 is excluding generic object.

Hi Anurag, I hope it's not too late but I have some comments. Today we updated to Struts2.3.32 to fix security issue S2-045. After that, similar to your problem, we lost following OGNL evaluation to null in our JSPs :( "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].reque

Re: Struts 2.3.31 is excluding generic object.

Yes I think. https://www.exploit-db.com/exploits/33142/ says there will be a remote command execution vulnerability. You may try that exploit and see for any results on your server. Apache Struts - ClassLoader Manipulation Remote Code ...