First of all, security on web applications is of a concern but not as much as one would think.
To find all the security vulnerabilities within any application, or framework, one would find all the entry points which allow user provided data. This could be a field, a protocol, etc. and then one would "fuzz" this process until the program crashed. Not only does a hacker need to crash the program, but hacking also requires knowledge by the attacker of the underlying operating system and what version it is. Most web applications run in a virtual environment with proxies between the real server and the user, so just finding out what to attack is hard if the network is properly configured. Certainly something to consider but you will probably never find all the vulnerabilities, it's a much better approach to monitor your network, and know your underlying systems. Even though struts can be hacked, look at all those .jar files you included and run on your server with high level permissions. Those too can be full of exploits and most of those libs are just downloaded from the net by amateur developers. Eric Reed New York State Department of Education >>> Lukasz Lenart <lukaszlen...@apache.org> 10/16/2013 7:12 AM >>> Ok, so the only option is got through each security bulletin and check provided Proof-of-Concept if it affects your application. And DMI isn't a problem if used wise. https://cwiki.apache.org/confluence/display/WW/Security+Bulletins 2013/10/16 Sreekanth S. Nair <sreekanth.n...@egovernments.org>: > Thanks Lukazs, the problem i'm facing now is our product is so huge to do a > migration and running mainly on DMI. I'm unable to convince my top > management about how bad strust2 vulnerability is (since i dont know how to > replicate the vulnerability). So I have no choice other than option 2. > > -- > Thanks & Regards > Srikanth > Software Developer > -------------------------------- > eGovernments Foundations > www.egovernments.org > Mob : 9980078913 > -------------------------------- > > > On Wed, Oct 16, 2013 at 4:22 PM, Umesh Awasthi <umeshawas...@gmail.com>wrote: > >> I do not think that is possible. >> You have 2 options >> >> 1. Upgrade you struts2 version. >> 2. Go through security vulnerability and see what was there and create test >> cases to see what exactly is happening and fix them by checking patches. >> >> But IMO, upgrading to latest version is much more flexible and less time >> consuming than going through each and every vulnerability and applying >> fixes for them. >> >> >> On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair < >> sreekanth.n...@egovernments.org> wrote: >> >> > Test Case to test the security vulnerability (major ones) in >> > struts2-core-2.1.2. >> > >> > -- >> > Thanks & Regards >> > Srikanth >> > Software Developer >> > -------------------------------- >> > eGovernments Foundations >> > www.egovernments.org >> > Mob : 9980078913 >> > -------------------------------- >> > >> > >> > On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart <lukaszlen...@apache.org >> > >wrote: >> > >> > > 2013/10/16 Sreekanth S. Nair <sreekanth.n...@egovernments.org>: >> > > > One more doubt, does this security vulnerability is able to bring >> down >> > > the >> > > > server :-) ? If we authorize ourselves to apache, is it possible for >> > > struts >> > > > team to give us test case to check the vulnerability? >> > > >> > > What you mean by that? What test case you refer to? >> > > >> > > >> > > Regards >> > > -- >> > > Ćukasz >> > > + 48 606 323 122 http://www.lenart.org.pl/ >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> > > For additional commands, e-mail: user-h...@struts.apache.org >> > > >> > > >> > >> >> >> >> -- >> With Regards >> Umesh Awasthi >> http://www.travellingrants.com/ >> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
