I finally read your email where you gave the dist URL for the dev release. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions.
I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against that as well, and that also gave the exception around class permissions (the exception it should throw when deserialization attempts to instantiate a non-allowed class). On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>: > > Here is the full info > > http://markmail.org/message/5xuhb2vwc7iagjjr > > William, how does your test pass? > > > Regards > -- > Ćukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >