On Fri, Aug 2, 2013 at 7:01 AM, Jim Macalister jimmacalis...@gmail.com wrote:
To get to my point. Struts2 is a great framework and we do use it for
production systems. I think we should all contribute at least by donating
directly to the struts2 developers. This will ensure the life of the
Hi to all,
there is no flawless software. Big companies spend millions if not billions
for their software and still get issues. How many cases of proven hacks or
worst sensitive info leaks have you read ? I think quite a lot. Big
companies do use various platforms and especially open source. It
Anyone read this?
http://java.dzone.com/articles/was-struts-responsible-apples
How we handle this?
F
I read that. I don't think we should do anything.
The blog post is speculative. Nobody from Apple did tell us if it was
really a Struts problem or not. If it is, then well, we can't do
anything. This doesn't make Struts a dangerous framework at all, it
just highlights you should update when your
Any apple guy here?
I.just want to.know.how.struts.use there.
I just know they use .action means struts apps.
On Jul 31, 2013 7:22 PM, Christian Grobmeier grobme...@gmail.com wrote:
I read that. I don't think we should do anything.
The blog post is speculative. Nobody from Apple did tell us
I browsed through apple site i could not find any clue that it was made in
struts, can you please let me know how did the hacker recognized that it
was developed in struts, secondly how could he exactly hiek , sorry if this
is out of scope for this forum
On Wed, Jul 31, 2013 at 6:08 PM, Frans
Hi Vicky,
the .action by itself in the Urls is a good hint. Furthermore, if you check
the html source you'll probably find struts written somewhere e.g., dojodivs
Antonios
On 31 July 2013 14:04, vicky b vickyb2...@gmail.com wrote:
I browsed through apple site i could not find any clue that
I read through the blog i confused at this statement
n Struts 2 before 2.3.15.1 the information following action:,
redirect: or redirectAction: is not properly sanitized. Since said
information will be evaluated as OGNL expression against the value stack,
this introduces the possibility to inject
You can't rely on anyone's code for security, not a .jar, not struts, not
anything.
To guarantee security you need to go through every single entry point and fuzz
it yourself. This is a major pain and headache and only .001% of devs do this
but don't blame the developers that are providing a
The blog post is speculative, but the Hacker News post was by Patrick
Lightbody, a WW founder. I'm not convinced OGNL itself is the issue, but
rather its unfettered access into internals. An intermediate, sandbox-y
layer might resolve that.
Dave
On Jul 31, 2013 8:22 AM, Christian Grobmeier
On Jul 31, 2013, at 9:25 AM, Dave Newton davelnew...@gmail.com wrote:
I'm not convinced OGNL itself is the issue, but
rather its unfettered access into internals. An intermediate, sandbox-y
layer might resolve that.
It's only partially what data ognl can fetch/modify, it's also what it can do.
, 31 Jul 2013 14:10:23 +0100
Subject: Re: Apple sec breach.. Struts?
From: gkogk...@tcd.ie
To: user@struts.apache.org
Hi Vicky,
the .action by itself in the Urls is a good hint. Furthermore, if you check
the html source you'll probably find struts written somewhere e.g., dojodivs
Antonios
I'll voice my personal opinion.
No matter what framework you choose (Struts, MyFaces, Tapestry, etc.), it
is the responsibility of all IT shops to do a security vulnerability
assessment before first releasing to production and after each update. That
is Security 101 because there are multitude of
13 matches
Mail list logo