RE: CVE-2015-5209

Hi Brent apply following regex to exclude vulnerable parameters from Request "(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"

Re: CVE-2015-5209

Expressions aren't evaluated in S1; there is nothing like it I'm aware of. Dave On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote: > Hello, > > I know that Struts1 and 2 are completely different code bases, but I was > wondering if the technique used by the exploit

Re: CVE-2015-5209

Struts1 is completely safe to use since no OGNL involved, unfortunately people started misusing struts2 the way its easy to use, and its in a way to fix all the security holes found till now. -- Thanks & Regards Sreekanth S Nair Java Developer ---

Re: CVE-2015-5209

2015-10-06 21:04 GMT+02:00 David Gawron : > Hello, > > I know that Struts1 and 2 are completely different code bases, but I was > wondering if the technique used by the exploit described in the CVE and > https://struts.apache.org/docs/s2-026.html could possibly apply to a >

Re: CVE-2015-5209

Same as s2-025 from your ealier question. On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton wrote: > Expressions aren't evaluated in S1; there is nothing like it I'm aware of. > > Dave > > > On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote: > >> Hello, >>