Any ETA?
On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart
wrote:
> 2017-09-06 16:12 GMT+02:00 Emi :
> > Hello,
> >>
> >> I finally read your email where you gave the dist URL for the dev
> release.
> >
> > This is the release that I should use for 2.3 right?
> >
> > https://dist.apache.org/repos/di
Incidentally, the wiki points out that 2.3 is vulnerable, but
http://struts.apache.org/docs/s2-052.html still only states 2.5.
On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart
wrote:
> 2017-09-06 16:12 GMT+02:00 Emi :
> > Hello,
> >>
> >> I finally read your email where you gave the dist URL for th
I finally read your email where you gave the dist URL for the dev release.
I tested against the struts2-rest-showcase app, a URL that was vulnerable
in other versions.
I also manually built just struts2-core, rest-plugin, config-browser, and
rest-showcase apps, and attempted the exploit against th
William Stranathan
wrote:
> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
> 2.3.34 snapshot of the rest-plugin dated August 12.
>
> I just did a build of only the bits needed to get the rest-showcase
> running (so mvn install, when that fails, mvn insta
-showcase), and that fails with
the correct permission message.
On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart
wrote:
> 2017-09-06 12:31 GMT+02:00 William Stranathan :
> > Odd - when I tested the snapshots, they were still vulnerable. I'm not
> able
> > to get it to build from sou
MT+02:00 William Stranathan :
> > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3
> > patch available yet. I've tried with the latest snapshots, and those are
> > also vulnerable.
> >
> > Is there a fix for this vulnerability on the 2.3
Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3
patch available yet. I've tried with the latest snapshots, and those are
also vulnerable.
Is there a fix for this vulnerability on the 2.3 stream forthcoming?
Don't put your html resources, CSS, etc. under WEB-INF - just put the
JSP's there. If your images or CSS or .js files have anything you need
to protect from direct access (passwords - perish the thought!
Proprietary information?), put them under WEB-INF and use DownloadAction
to send them.
w
We had this discussion a lot last week, and it seems to be somewhat
divided on whether JSP's belong in WEB-INF. What was your compelling
argument AGAINST it?
My compelling argument FOR it has always been that WEB-INF is where
application artifacts that are not complete web artifacts belong. W
Can't promise this, but make SURE your Action Mappings specifically
define the scope of your form bean. My HUNCH is that the one that
displays the first time is in session scope, but your submit action is
defining one in request scope.
w
Christopher Loschen wrote:
Hi all,
The action classes do
Is it entirely necessary to use the Struts taglib for it? Wouldn't it
be easier to use the JSTL (if available) or in a real pinch, the JSP
syntax for bean access?
Thorhauer, John (Contractor) wrote:
Hi,
Is it possible to use the struts html taglib from version 1.1 without using
Struts? I would
The subject is prolly a poor way to say what I'm trying to say
Does anybody know of a simple way to use JSP as an INTERNAL templating
engine. For example, if I have a struts application where I'm
generating an email to send, I currently have to use Velocity on the
server side to put the val
And to be perfectly honest, I didn't know for sure - I just threw it
together using Netbeans, and ASSUMED since I was array-backing it, I'd
use an indexed property.
However, I know better now - that if I intend to pass the same property
name multiple times NOT to use indexed accessor/mutators,
13 matches
Mail list logo
