struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (WW-2692) XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641)
Date Wed, 15 Oct 2008 20:38:36 GMT

     [ https://issues.apache.org/struts/browse/WW-2692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rene Gielen resolved WW-2692.
-----------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.0.11.2)
                   2.0.13

Fixed by XWork 2.0.6 release.

See XW-641 (http://jira.opensymphony.com/browse/XW-641)

> XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641)
> ----------------------------------------------------------------------
>
>                 Key: WW-2692
>                 URL: https://issues.apache.org/struts/browse/WW-2692
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9,
2.0.10, 2.0.11, 2.0.11.1, 2.1.0, 2.1.1, 2.1.2
>            Reporter: Rene Gielen
>            Assignee: Rene Gielen
>            Priority: Critical
>             Fix For: 2.0.13, 2.1.3
>
>
> Meder Kydyraliev of the Google Security Team reported a vulnerability to the XWork team
that allows attackers to bypass security measures implemented in ParametersInterceptor to
inject OGNL expressions.
> Since XWork is the foundation of Struts2, this must be considered a Struts2 vulnerability
as well.
> For a full description, see
> http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message