struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caoilte O'Connor" <caoi...@gmail.com>
Subject production use of a Struts 2.0.x website
Date Wed, 13 Oct 2010 14:37:45 GMT
Hi,
I'm investigating the changes that we will need for production use of
website code base utilizing Struts2..

1) =========================
First of all, we are still using 2.0.x series Struts2. From what I can
tell this means we are theoretically vulnerable to

http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

although this isn't made clear on

http://struts.apache.org/2.0.14/index.html

However, although I have successfully reproduced CVE-2010-1870 on a
Windows environment, I have been unable to reproduce it on any of our
Linux environments. I don't understand why they would be immune to the
attack and would be very interested in finding out if the attack
should still be reproducible or if anybody else has seen similar
behaviour on any version of Struts2.

2) =========================
Secondly, we haven't applied any "Freemarker" configuration settings
as advised here

http://struts.apache.org/2.0.14/docs/performance-tuning.html

I think it was probably assumed that because we use JSP/Struts2 tags
that there wouldn't be any Freemarker to configure. However, I have
seen Freemarker engine classes in thread dumps and given the following
Struts 2.2 only advice here,

http://struts.apache.org/2.x/docs/javatemplates-plugin.html

it looks like we should

i) Create a freemarker.properties file in your WEB-INF/classes directory.
ii) enable Freemarker template caching

Is that correct?

3) =========================
Finally, I fully expect any reply to this email to start by telling me
that we should upgrade to Struts 2.2.1. Would anybody be kind enough
to venture a rough guess of how difficult that would be for us and how
much of a performance increase it could give us. We seem to,
i) have quite a few custom interceptors and chains
ii) make extensive use of most S: and SS: tags in jsp.



Apologies for the interconnected series of questions. Thank you so
much for your time if you are able to answer or comment on any part of
them.

Regards


Caoilte O'Connor

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message