checked this is not "strust2" list
>
>
> Regards,
> Martin
> __
>
>
>
>
>
>
> > Date: Wed, 16 Oct 2013 08:21:28 -0400
> > From: ere...@mail.nysed.gov
> > To: user@struts.apache.org
> > Subj
_
> Date: Wed, 16 Oct 2013 08:21:28 -0400
> From: ere...@mail.nysed.gov
> To: user@struts.apache.org
> Subject: Re: Steps Involved in counter measurement for security issues
>
> First of all, security on web applications is of a c
First of all, security on web applications is of a concern but not as
much as one would think.
To find all the security vulnerabilities within any application, or
framework, one would find all the entry points which allow user
provided data. This could be a field, a protocol, etc. and then one
wo
Ok, so the only option is got through each security bulletin and check
provided Proof-of-Concept if it affects your application. And DMI
isn't a problem if used wise.
https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
2013/10/16 Sreekanth S. Nair :
> Thanks Lukazs, the problem i'm
I don't mean it like that, but something like a proof of concept
like http://struts.apache.org/release/2.3.x/docs/s2-016.html
--
Thanks & Regards
Srikanth
Software Developer
eGovernments Foundations
www.egovernments.org
Mob : 9980078913
--
2013/10/16 Sreekanth S. Nair :
> Test Case to test the security vulnerability (major ones) in
> struts2-core-2.1.2.
Everything you can find is in Struts repository, it's Open Source not
a close code software ;-)
And there is no the "test" which magically checks security
vulnerabilities, even secu
Thanks Lukazs, the problem i'm facing now is our product is so huge to do a
migration and running mainly on DMI. I'm unable to convince my top
management about how bad strust2 vulnerability is (since i dont know how to
replicate the vulnerability). So I have no choice other than option 2.
--
Than
I do not think that is possible.
You have 2 options
1. Upgrade you struts2 version.
2. Go through security vulnerability and see what was there and create test
cases to see what exactly is happening and fix them by checking patches.
But IMO, upgrading to latest version is much more flexible and l
Test Case to test the security vulnerability (major ones) in
struts2-core-2.1.2.
--
Thanks & Regards
Srikanth
Software Developer
eGovernments Foundations
www.egovernments.org
Mob : 9980078913
On Wed, Oct 16, 2013 at 4:15 PM, Luka
2013/10/16 Sreekanth S. Nair :
> One more doubt, does this security vulnerability is able to bring down the
> server :-) ? If we authorize ourselves to apache, is it possible for struts
> team to give us test case to check the vulnerability?
What you mean by that? What test case you refer to?
Re
One more doubt, does this security vulnerability is able to bring down the
server :-) ? If we authorize ourselves to apache, is it possible for struts
team to give us test case to check the vulnerability?
--
Thanks & Regards
Srikanth
Software Developer
eGovernment
Hi,
Thanks Lukazs, but that's too much of task to compare rather i can
migrate ;-). Thanks Antonios, i will refer those links.
--
Thanks & Regards
sreekanth
On Wed, Oct 16, 2013 at 3:25 PM, Antonios Gkogkakis wrote:
> Hi Sreekanth,
>
> Lukasz beat me!
>
Hi Sreekanth,
Lukasz beat me!
If you don't want to upgrade you should at least check the security
bulletins
http://struts.apache.org/release/2.2.x/docs/security-bulletins.html
http://struts.apache.org/release/2.3.x/docs/security-bulletins.html
see which vulnerabilities affect you and follow the
Though task ;-)
The only option is to analyse what kind of vulnerabilities were
discovered after and which of them can potentially affect your version
(given vulnerable functionality exists in your version you use right
now).
https://cwiki.apache.org/confluence/display/WW/Migration+Guide
2013/10
Hi,
Due to time and other internal constraints, we are unable to upgrade
strust2 to the latest version. So i would like to know if we use old
strust2 distro (in my case : struts2-core-2.1.2), what are the counter
measurement need to taken care?
Regards
15 matches
Mail list logo
