Open a JIRA ticket and submit a patch. We welcome help from the community. On Mon, Jul 12, 2010 at 2:06 PM, Zheng, Xiahong <xiahong.zh...@fmr.com> wrote: > Hi, > > Spring recently released the following security vulnerability in its MVC data > binding framework. Here is the description > > The Spring Framework provides a mechanism to use client provided data to > update the properties of an object. This mechanism allows an attacker to > modify the properties of the class loader used to load the object (via > 'class.classloader'). This can lead to arbitrary command execution since, for > example, an attacker can modify the URLs used by the class loader to point to > locations controlled by the attacker. > > For full description, follow this link > http://www.springsource.com/security/cve-2010-1622 > > Although Struts is not vulnerable to the exact attack described in the cve, > we found Struts' binding mechanism do expose the opportunities for an > attacker to manipulate other classloader properties such as "delegationMode", > "jarPath", "antiJarLocking", etc. I am wondering if the Struts team is aware > of this and any plans to have a fix in the near future. > > Thanks, > Xiaohong Zheng > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
--------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
