Possible DoS? Isn't this a remote exploit? Can you call arbitrary methods?
Bob
On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
some simple testing shows that the field value is simply evaluated...
try to put on a struts textfield %{1+1} submit and you'll get "2" on
the field...
Cool but don't think it should be the default behaviour.
What constructs can trigger recursion ?
Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto:
> Antonio Petrelli <antonio.petrelli <at> gmail.com> writes:
>
>>
>> Hi all,
>> Andrea Vettori, in the Struts Users mailing list, probably discovered
>> a possible Denial-Of-Service bug in Struts 2.
>> The cause could be XWork.
>>
>
> Hi,
>
> furthermore I'd like to know if there are other "values" that can
> trigger the
> problem.
> Since I don't think that normal users of my site use that kind of
> password,
> I'm looking for whatever has triggered the problem about once a day
> on my
> e-commerce site...
>
> I've tried to follow the source of various classes but it's all new
> to me so I'm
> a bit lost.
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
