struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <davelnew...@gmail.com>
Subject Re: CVE-2015-5209
Date Tue, 06 Oct 2015 19:06:33 GMT
Same as s2-025 from your ealier question.

On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton <davelnewton@gmail.com> wrote:

> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron <dgawron@us.ibm.com> wrote:
>
>> Hello,
>>
>> I know that Struts1 and 2 are completely different code bases, but I was
>> wondering if the technique used by the exploit described in the CVE and
>> https://struts.apache.org/docs/s2-026.html could possibly apply to a
>> Struts 1 deployment?  There is no references to a ValueStack in the Struts
>> 1 code, but is there an equivalent feature that could be vulnerable?
>>
>> -Dave-
>>
>> ----------------------------------------------------------------------
>> Dave Gawron
>> Architect, WebSphere Portlet Factory
>> 978-899-2171 T/L 276-2171
>> dgawron@us.ibm.com
>>
>> "Perfection is achieved, not when there is nothing more to add, but when
>> there is nothing left to take away."
>> -- Antoine de Saint-Exupéry
>>
>>
>
>
> --
> e: davelnewton@gmail.com
> m: 908-380-8699
> s: davelnewton_skype
> t: @dave_newton <https://twitter.com/dave_newton>
> b: Bucky Bits <http://buckybits.blogspot.com/>
> g: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
>
>


-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message