Hi, Spring recently released the following security vulnerability in its MVC data binding framework. Here is the description
The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker. For full description, follow this link http://www.springsource.com/security/cve-2010-1622 Although Struts is not vulnerable to the exact attack described in the cve, we found Struts' binding mechanism do expose the opportunities for an attacker to manipulate other classloader properties such as "delegationMode", "jarPath", "antiJarLocking", etc. I am wondering if the Struts team is aware of this and any plans to have a fix in the near future. Thanks, Xiaohong Zheng --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
