On Wed, Sep 6, 2017 at 7:56 PM, Ken McWilliams
wrote:
> Programs can also be "exploded" (not in any type of zip file) so be sure to
> search all files in the normal filesystem as well. To test your script just
> create a couple zip files with some nested folders where you have placed
> some made
Programs can also be "exploded" (not in any type of zip file) so be sure to
search all files in the normal filesystem as well. To test your script just
create a couple zip files with some nested folders where you have placed
some made up files either called "struts.xml" or "struts2-core-*.jar" to b
Struts isn't a stand alone program but a framework, typically seen as
project dependency which supports web development on the JVM.
I don't know the answer to 1) [although I will at the end go though the
process I would attempt to find such programs].
2) No. Struts2 [which is different code base
Hello all
I am new to the mailing list as well as new to Apache Struts. We all heard
in the news about the vulnerability affecting Apache Struts. I have been
tasked to determine which of our servers have Struts running on them. I
have a few questions on how to determine if a server is running St
2017-09-06 18:40 GMT+02:00 William Stranathan :
> Any ETA?
Under way to the Central and mirrors
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For addi
Any ETA?
On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart
wrote:
> 2017-09-06 16:12 GMT+02:00 Emi :
> > Hello,
> >>
> >> I finally read your email where you gave the dist URL for the dev
> release.
> >
> > This is the release that I should use for 2.3 right?
> >
> > https://dist.apache.org/repos/di
Incidentally, the wiki points out that 2.3 is vulnerable, but
http://struts.apache.org/docs/s2-052.html still only states 2.5.
On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart
wrote:
> 2017-09-06 16:12 GMT+02:00 Emi :
> > Hello,
> >>
> >> I finally read your email where you gave the dist URL for th
2017-09-06 16:12 GMT+02:00 Emi :
> Hello,
>>
>> I finally read your email where you gave the dist URL for the dev release.
>
> This is the release that I should use for 2.3 right?
>
> https://dist.apache.org/repos/dist/dev/struts/2.3.34/
Yes, it should be officially released and announced soon
R
Hello,
I finally read your email where you gave the dist URL for the dev release.
This is the release that I should use for 2.3 right?
https://dist.apache.org/repos/dist/dev/struts/2.3.34/
Thanks.
I tested against the struts2-rest-showcase app, a URL that was vulnerable
in other versions.
I
Thanks a lot!
2017-09-06 15:56 GMT+02:00 William Stranathan :
> I finally read your email where you gave the dist URL for the dev release.
> I tested against the struts2-rest-showcase app, a URL that was vulnerable
> in other versions.
>
> I also manually built just struts2-core, rest-plugin, conf
I finally read your email where you gave the dist URL for the dev release.
I tested against the struts2-rest-showcase app, a URL that was vulnerable
in other versions.
I also manually built just struts2-core, rest-plugin, config-browser, and
rest-showcase apps, and attempted the exploit against th
2017-09-06 12:37 GMT+02:00 Lukasz Lenart :
> Here is the full info
> http://markmail.org/message/5xuhb2vwc7iagjjr
William, how does your test pass?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe,
Ah.. right, I forgot about that
2017-09-06 13:11 GMT+02:00 William Stranathan :
> And yes, it looks like the Jenkins builds have been failing for quite some
> time:
> https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console
> (that
> error message is not too dis
2017-09-06 13:04 GMT+02:00 William Stranathan :
> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
> 2.3.34 snapshot of the rest-plugin dated August 12.
>
> I just did a build of only the bits needed to get the rest-showcase running
> (so mvn install, when that fails, mvn in
And yes, it looks like the Jenkins builds have been failing for quite some
time:
https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console
(that
error message is not too dissimilar from the one I get with JDK 7 in the
same module).
On Wed, Sep 6, 2017 at 7:04 AM
Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
2.3.34 snapshot of the rest-plugin dated August 12.
I just did a build of only the bits needed to get the rest-showcase running
(so mvn install, when that fails, mvn install -f
plugins/rest-plugin/pom.xml, then app/rest-showc
2017-09-06 12:31 GMT+02:00 William Stranathan :
> Odd - when I tested the snapshots, they were still vulnerable. I'm not able
> to get it to build from source (now some odd javac access exception).
Strange, do you have a date of the snapshot? Maybe Jenkins stopped
publishing them.
> Where do I ge
Odd - when I tested the snapshots, they were still vulnerable. I'm not able
to get it to build from source (now some odd javac access exception).
Where do I get the bits for testing 2.3.34, if not the snapshots?
On Wed, Sep 6, 2017 at 1:36 AM Lukasz Lenart
wrote:
> 2017-09-06 6:22 GMT+02:00 Wil
>
> I tried
> export
> CLASSPATH=$JAVA_HOME/lib:$HOME/Struts2/struts-2.5.12/lib:
> $CATALINA_HOME/lib:$CLASSPATH:.
>
> but the helloworld link in index.jsp still did not see the
> /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3-3.6.jar.
>
>
> my_tomcat.log did not have this line any more
>
19 matches
Mail list logo
