struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paweł Wielgus <poulw...@gmail.com>
Subject Re: OGNL expressions in headers and parameters
Date Mon, 13 Mar 2017 11:49:05 GMT
Hi Thomás,
aren't you testing old voulnerable version?

If so, try the new one.


--
Pozdrawiam,
Paweł Wielgus.
tel: +48 604 603 546


2017-03-13 10:54 GMT+01:00 Tamás Barta <bartatamas@gmail.com>:
> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list because it seems to me that these OGNL
> expressions are evaluated before my code is executed and I wonder if it can
> be disabled anyhow.
> Can I turn off these auto-evaluated thinks if I don't need them at all? You
> wrote that it is my code which initiates this, but I don't think so.
>
> On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <lukaszlenart@apache.org>
> wrote:
>
>> 2017-03-13 10:43 GMT+01:00 Tamás Barta <bartatamas@gmail.com>:
>> > Interesting, I don't do such things. I write down the stack trace from
>> > where it is executed (in 2.5.2).
>> > This is the interesting part, there is no my code there.
>> >
>> > StrutsPrepareAndExecuteFilter:100                       // boolean
>> handled
>> > = execute.executeStaticResourceRequest(request, response);
>> > ->
>> > ExecuteOperations:59
>> >  // StaticContentLoader staticResourceLoader =
>> > dispatcher.getContainer().getInstance(StaticContentLoader.class);
>> > ->
>> > Dispatcher:897                                                       //
>> > Configuration config = mgr.getConfiguration();
>> > ->
>> > ConfigurationManager:73
>> > // conditionalReload();
>> > ->
>> > OgnlValueStackFactory:64
>> > // container.inject(stack);
>> > ...
>> >
>> > I tried this test script and put breakpoint in
>> > OgnlUtil.getExcludedClasses():
>> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
>>
>> but this is a vulnerability, a bug which was already fixed. We also
>> are developers that make mistakes.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message