Thanks a lot! 2017-09-06 15:56 GMT+02:00 William Stranathan <w...@thestranathans.com>: > I finally read your email where you gave the dist URL for the dev release. > I tested against the struts2-rest-showcase app, a URL that was vulnerable > in other versions. > > I also manually built just struts2-core, rest-plugin, config-browser, and > rest-showcase apps, and attempted the exploit against that as well, and > that also gave the exception around class permissions (the exception it > should throw when deserialization attempts to instantiate a non-allowed > class). > > On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lukaszlen...@apache.org> > wrote: > >> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>: >> > Here is the full info >> > http://markmail.org/message/5xuhb2vwc7iagjjr >> >> William, how does your test pass? >> >> >> Regards >> -- >> Ćukasz >> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >>
--------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
