Struts1 is completely safe to use since no OGNL involved, unfortunately
people started misusing struts2 the way its easy to use, and its in a way
to fix all the security holes found till now.
--
Thanks & Regards
Sreekanth S Nair
Java Developer
---
eGovernm
2015-10-06 21:04 GMT+02:00 David Gawron :
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment? Th
Same as s2-025 from your ealier question.
On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton wrote:
> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
>
>> Hello,
>>
>> I know that Struts1 and 2 are completely
Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
Dave
On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
>
Hello,
I know that Struts1 and 2 are completely different code bases, but I was
wondering if the technique used by the exploit described in the CVE and
https://struts.apache.org/docs/s2-026.html could possibly apply to a
Struts 1 deployment? There is no references to a ValueStack in the Struts
2015-10-06 11:46 GMT+02:00 Volker Krebs :
> One thing,
> when using extends the allowed-methods won't be merged.
> Only the ones from action definition are used.
>
> E.g.:
>
>m1,m2
>
>
>
>
> ...
> m3,m4
>
>
>
> /app1/a1!m3.action is working.
> /app1/a1!m1.action is *not* w
Am 05.10.2015 um 16:43 schrieb Volker Krebs:
> Am 03.10.2015 um 09:35 schrieb Lukasz Lenart:
>> Hi,
>>
>> I have updated docs about the latest SMI addition:
>>
>> https://cwiki.apache.org/confluence/display/WW/Security#Security-StrictMethodInvocation
>> https://cwiki.apache.org/confluence/display/W
7 matches
Mail list logo
