struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <davelnew...@gmail.com>
Subject Re: CVE-2015-5209
Date Tue, 06 Oct 2015 19:05:39 GMT
Expressions aren't evaluated in S1; there is nothing like it I'm aware of.

Dave


On Tue, Oct 6, 2015 at 3:04 PM, David Gawron <dgawron@us.ibm.com> wrote:

> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment?  There is no references to a ValueStack in the Struts
> 1 code, but is there an equivalent feature that could be vulnerable?
>
> -Dave-
>
> ----------------------------------------------------------------------
> Dave Gawron
> Architect, WebSphere Portlet Factory
> 978-899-2171 T/L 276-2171
> dgawron@us.ibm.com
>
> "Perfection is achieved, not when there is nothing more to add, but when
> there is nothing left to take away."
> -- Antoine de Saint-Exupéry
>
>


-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message