[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16747199#comment-16747199
]
Markus Wulftange commented on WW-4348:
--------------------------------------
Hi [~lukaszlenart], _freemarker.Configuration_ is no longer accessible and so
are _Class_ instances. So the mentioned examples won't work any more.
But, at least with Tomcat, there is
{noformat}
#application["org.apache.tomcat.InstanceManager"].newInstance("…"){noformat}
which can create arbitrary objects via the public argument-less constructor.
There are multiple classes that allow RCE that way.
> Remove access to static methods
> -------------------------------
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.3.16.3
> Reporter: Lukasz Lenart
> Priority: Critical
> Fix For: 2.5.x
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
