Hello,
I finally read your email where you gave the dist URL for the dev release.
This is the release that I should use for 2.3 right?
https://dist.apache.org/repos/dist/dev/struts/2.3.34/
Thanks.
I tested against the struts2-rest-showcase app, a URL that was vulnerable
in other versions.
I also manually built just struts2-core, rest-plugin, config-browser, and
rest-showcase apps, and attempted the exploit against that as well, and
that also gave the exception around class permissions (the exception it
should throw when deserialization attempts to instantiate a non-allowed
class).
On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lukaszlen...@apache.org>
wrote:
2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>:
Here is the full info
http://markmail.org/message/5xuhb2vwc7iagjjr
William, how does your test pass?
Regards
--
Ćukasz
+ 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
