Hi Brent
apply following regex to exclude vulnerable parameters from Request
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"
https://struts.apa
Struts1 is completely safe to use since no OGNL involved, unfortunately
people started misusing struts2 the way its easy to use, and its in a way
to fix all the security holes found till now.
--
Thanks & Regards
Sreekanth S Nair
Java Developer
---
eGovernm
2015-10-06 21:04 GMT+02:00 David Gawron :
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment? Th
Same as s2-025 from your ealier question.
On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton wrote:
> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
>
>> Hello,
>>
>> I know that Struts1 and 2 are completely
Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
Dave
On Tue, Oct 6, 2015 at 3:04 PM, David Gawron wrote:
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
>
5 matches
Mail list logo
