Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-04 Thread Dave Newton
It was actually a rebranding of an existing framework, but yep; separate
codebase.

On Fri, Sep 4, 2015 at 12:51 PM, David Gawron <dgaw...@us.ibm.com> wrote:

> Dave,
>
> Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I
> assumed it was very unlikely that the same vulnerability existed in Struts
> 1, but I needed to ask.
>
> -Dave-
>
>
>
>
> From:   Dave Newton <davelnew...@gmail.com>
> To: Struts Users Mailing List <user@struts.apache.org>
> Date:   09/03/2015 05:01 PM
> Subject:        Re: Is the vulnerability documented in CVE-2015-5169 also
> applicable to Struts 1?
>
>
>
> There's no such thing as `devMode` in Struts 1.
>
> Struts 1 vulnerabilities would be in Struts 1 announcements, although with
> the EOL, announcements and fixes may never happen.
>
> Struts 1 and Struts 2 have essentially zero in common.
>
> Dave
>
>
> On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgaw...@us.ibm.com> wrote:
>
> > The security bulletin for CVE-2015-5169 (
> > https://struts.apache.org/docs/s2-025.html) only mentions Struts 2.
> Anyone
> > know if the vulnerability also exists in Struts 1 in some form?  I
> realize
> > Struts 1.x are no longer supported and that is why the bulletin doesn't
> > cover those releases.  I grabbed the 1.3.10 code and searched for the
> > devMode property (that property appears to be involved in the
> > vulnerability) and did not find any refs.  Searching for that property
> in
> > 2.x yields lots of references and leads me to believe the devMode
> > functionality was added in Struts 2.  If so, then that is good but not
> > conclusive evidence the vulnerability is not in Struts 1.  I'd
> appreciate
> > hearing  any info others have on CVE-2015-5169 and Struts 1.
> >
> > -Dave-
> >
> >
>
>
> --
> e: davelnew...@gmail.com
> m: 908-380-8699
> s: davelnewton_skype
> t: @dave_newton <https://twitter.com/dave_newton>
> b: Bucky Bits <http://buckybits.blogspot.com/>
> g: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
>
>
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>


Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-04 Thread David Gawron
Dave,

Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I 
assumed it was very unlikely that the same vulnerability existed in Struts 
1, but I needed to ask.

-Dave-




From:   Dave Newton <davelnew...@gmail.com>
To: Struts Users Mailing List <user@struts.apache.org>
Date:   09/03/2015 05:01 PM
Subject:    Re: Is the vulnerability documented in CVE-2015-5169 also 
applicable to Struts 1?



There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.

Dave


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgaw...@us.ibm.com> wrote:

> The security bulletin for CVE-2015-5169 (
> https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. 
Anyone
> know if the vulnerability also exists in Struts 1 in some form?  I 
realize
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property 
in
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd 
appreciate
> hearing  any info others have on CVE-2015-5169 and Struts 1.
>
> -Dave-
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>





Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-03 Thread Dave Newton
There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.

Dave


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron  wrote:

> The security bulletin for CVE-2015-5169 (
> https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. Anyone
> know if the vulnerability also exists in Struts 1 in some form?  I realize
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property in
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd appreciate
> hearing  any info others have on CVE-2015-5169 and Struts 1.
>
> -Dave-
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton 
b: Bucky Bits 
g: davelnewton 
so: Dave Newton 


Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-03 Thread David Gawron
The security bulletin for CVE-2015-5169 (
https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. Anyone 
know if the vulnerability also exists in Struts 1 in some form?  I realize 
Struts 1.x are no longer supported and that is why the bulletin doesn't 
cover those releases.  I grabbed the 1.3.10 code and searched for the 
devMode property (that property appears to be involved in the 
vulnerability) and did not find any refs.  Searching for that property in 
2.x yields lots of references and leads me to believe the devMode 
functionality was added in Struts 2.  If so, then that is good but not 
conclusive evidence the vulnerability is not in Struts 1.  I'd appreciate 
hearing  any info others have on CVE-2015-5169 and Struts 1.

-Dave-