Hi Brent
apply following regex to exclude vulnerable parameters from Request
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"
Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
Dave
On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit
Struts1 is completely safe to use since no OGNL involved, unfortunately
people started misusing struts2 the way its easy to use, and its in a way
to fix all the security holes found till now.
--
Thanks & Regards
Sreekanth S Nair
Java Developer
---
2015-10-06 21:04 GMT+02:00 David Gawron :
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
>
Same as s2-025 from your ealier question.
On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton wrote:
> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
>
>> Hello,
>>
5 matches
Mail list logo