Expressions aren't evaluated in S1; there is nothing like it I'm aware of. Dave
On Tue, Oct 6, 2015 at 3:04 PM, David Gawron <dgaw...@us.ibm.com> wrote: > Hello, > > I know that Struts1 and 2 are completely different code bases, but I was > wondering if the technique used by the exploit described in the CVE and > https://struts.apache.org/docs/s2-026.html could possibly apply to a > Struts 1 deployment? There is no references to a ValueStack in the Struts > 1 code, but is there an equivalent feature that could be vulnerable? > > -Dave- > > ---------------------------------------------------------------------- > Dave Gawron > Architect, WebSphere Portlet Factory > 978-899-2171 T/L 276-2171 > dgaw...@us.ibm.com > > "Perfection is achieved, not when there is nothing more to add, but when > there is nothing left to take away." > -- Antoine de Saint-Exupéry > > -- e: davelnew...@gmail.com m: 908-380-8699 s: davelnewton_skype t: @dave_newton <https://twitter.com/dave_newton> b: Bucky Bits <http://buckybits.blogspot.com/> g: davelnewton <https://github.com/davelnewton> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
