RE: CVE-2015-5209

2016-02-22 Thread Martin Gainty 
Hi Brent
apply following regex to exclude vulnerable parameters from Request
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"
https://struts.apache.org/docs/s2-026.html
or upgrade to Struts 2.3.24.1

Good Question!
Martin 
__ 



> Date: Mon, 22 Feb 2016 11:10:39 -0700
> Subject: CVE-2015-5209
> From: brentbark...@gmail.com
> To: user@struts.apache.org
> 
> Hi,
> 
> We are upgrading struts to patch a potential security hole (S2-026
> <https://cwiki.apache.org/confluence/display/WW/S2-026>) I want to ensure
> the vulnerability no longer exists in our application after upgrading to
> v2.3.24.1. Would someone mind pointing me in the right direction to test
> the vulnerability?
> 
> Thanks in advance!

CVE-2015-5209

2016-02-22 Thread Brent Barker 
Hi,

We are upgrading struts to patch a potential security hole (S2-026
) I want to ensure
the vulnerability no longer exists in our application after upgrading to
v2.3.24.1. Would someone mind pointing me in the right direction to test
the vulnerability?

Thanks in advance!

CVE-2015-5209

2015-10-06 Thread David Gawron 
Hello,

I know that Struts1 and 2 are completely different code bases, but I was 
wondering if the technique used by the exploit described in the CVE and 
https://struts.apache.org/docs/s2-026.html could possibly apply to a 
Struts 1 deployment?  There is no references to a ValueStack in the Struts 
1 code, but is there an equivalent feature that could be vulnerable?

-Dave-

--
Dave Gawron
Architect, WebSphere Portlet Factory
978-899-2171 T/L 276-2171
dgaw...@us.ibm.com

"Perfection is achieved, not when there is nothing more to add, but when 
there is nothing left to take away."
-- Antoine de Saint-Exupéry

Re: CVE-2015-5209

2015-10-06 Thread Dave Newton 
Expressions aren't evaluated in S1; there is nothing like it I'm aware of.

Dave


On Tue, Oct 6, 2015 at 3:04 PM, David Gawron  wrote:

> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment?  There is no references to a ValueStack in the Struts
> 1 code, but is there an equivalent feature that could be vulnerable?
>
> -Dave-
>
> --
> Dave Gawron
> Architect, WebSphere Portlet Factory
> 978-899-2171 T/L 276-2171
> dgaw...@us.ibm.com
>
> "Perfection is achieved, not when there is nothing more to add, but when
> there is nothing left to take away."
> -- Antoine de Saint-Exupéry
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton 
b: Bucky Bits 
g: davelnewton 
so: Dave Newton

Re: CVE-2015-5209

2015-10-06 Thread Sreekanth S. Nair 
Struts1 is completely safe to use since no OGNL involved, unfortunately
people started misusing struts2 the way its easy to use, and its in a way
to fix all the security holes found till now.

-- 
Thanks & Regards

Sreekanth S Nair
Java Developer
---
eGovernments Foundation 
Ph : 9980078913
---

   

---

On Wed, Oct 7, 2015 at 12:36 AM, Lukasz Lenart 
wrote:

> 2015-10-06 21:04 GMT+02:00 David Gawron :
> > Hello,
> >
> > I know that Struts1 and 2 are completely different code bases, but I was
> > wondering if the technique used by the exploit described in the CVE and
> > https://struts.apache.org/docs/s2-026.html could possibly apply to a
> > Struts 1 deployment?  There is no references to a ValueStack in the
> Struts
> > 1 code, but is there an equivalent feature that could be vulnerable?
>
> Nope, as far I know :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: CVE-2015-5209

2015-10-06 Thread Lukasz Lenart 
2015-10-06 21:04 GMT+02:00 David Gawron :
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment?  There is no references to a ValueStack in the Struts
> 1 code, but is there an equivalent feature that could be vulnerable?

Nope, as far I know :)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: CVE-2015-5209

2015-10-06 Thread Dave Newton 
Same as s2-025 from your ealier question.

On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton  wrote:

> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron  wrote:
>
>> Hello,
>>
>> I know that Struts1 and 2 are completely different code bases, but I was
>> wondering if the technique used by the exploit described in the CVE and
>> https://struts.apache.org/docs/s2-026.html could possibly apply to a
>> Struts 1 deployment?  There is no references to a ValueStack in the Struts
>> 1 code, but is there an equivalent feature that could be vulnerable?
>>
>> -Dave-
>>
>> --
>> Dave Gawron
>> Architect, WebSphere Portlet Factory
>> 978-899-2171 T/L 276-2171
>> dgaw...@us.ibm.com
>>
>> "Perfection is achieved, not when there is nothing more to add, but when
>> there is nothing left to take away."
>> -- Antoine de Saint-Exupéry
>>
>>
>
>
> --
> e: davelnew...@gmail.com
> m: 908-380-8699
> s: davelnewton_skype
> t: @dave_newton 
> b: Bucky Bits 
> g: davelnewton 
> so: Dave Newton 
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton 
b: Bucky Bits 
g: davelnewton 
so: Dave Newton