Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
Thanks  Eric and Martin for your valuable information, we already have high
security backed network, server and application configuration. Was just
worried about underlying security issues with struts2.

-- 
Thanks & Regards
Srikanth
Software Developer

eGovernments Foundations
www.egovernments.org
Mob : 9980078913



On Thu, Oct 17, 2013 at 4:33 AM, Martin Gainty  wrote:

> all initial points of contact to your site should go thru a login process
> with a public key backed by a cert provided by vendor(you)
>
>
>
> if the cert was self-signed or the key is forged you should return a 401
> if the JSSE Key exchange is successful  then yourm session will be
> assigned  a secure token valid only for that Session
>
> and you will now exchange information on SSLv3/TLS Transport which ever
> connector is assigned to handle Secure Traffic
>
>
> The assigned Session-Token would "follow you" thru the system and if your
> tokens Principal was not in Role for the page or resource then client sees
> a 403ed (Forbidden) coming from you
> if ANYTHING does happen to your Session (invalidate or timeout) ...you
> invalidate the secure Token as well
>
> attempts to hack the Token by reading cookies wouldnt work either as each
> assigned Token is calc'ed off of JSESSION-ID by an algo than changes at
> random intervals
> SSLv3/TLS algos change on random intervals..so a cipher/algo worked for
> One session would not work the next session
>
> Both Encryption and Decryption Algorithms as well as their respective Salt
> length would change at random intervals
> If you are a Math whiz and you developed an algo SSL/TLS encrypt algo
> going up it would not work for the algo coming down ...Each entity's update
> schedule is orthogonal meaning that any entity cannot and should not
> necessarily be able to be derived from another known entity (by
> conventional means)
>
> Moreover since most crypto algos are migrating from symmetric (same algo
> for encryption and decryption) to asymetric (differing algos for encryption
> and decryption) the work you put into creating one non-repudiating algo for
> encrypting does not necessarily dovetail to crack'ing the second algo...
> http://en.wikipedia.org/wiki/Assymetric_key_cryptography
>
> the algos can be and are oftentimes different as seen here
>
> Browser->Algo1->Server
>
> vs
>
> Browser<-Algo2<--Server
>
>
>
> "how bad strust2 vulnerability is"...
>
> last time i checked this is not "strust2" list
>
>
> Regards,
> Martin
> __
>
>
>
>
>
>
> > Date: Wed, 16 Oct 2013 08:21:28 -0400
> > From: ere...@mail.nysed.gov
> > To: user@struts.apache.org
> > Subject: Re: Steps Involved in counter measurement for security issues
> >
> > First of all, security on web applications is of a concern but not as
> > much as one would think.
> >
> > To find all the security vulnerabilities within any application, or
> > framework, one would find all the entry points which allow user
> > provided data. This could be a field, a protocol, etc. and then one
> > would "fuzz" this process until the program crashed.
> >
> > Not only does a hacker need to crash the program, but hacking also
> > requires knowledge by the attacker of the underlying operating system
> > and what version it is. Most web applications run in a virtual
> > environment with proxies between the real server and the user, so just
> > finding out what to attack is hard if the network is properly
> > configured.
> >
> > Certainly something to consider but you will probably never find all
> > the vulnerabilities, it's a much better approach to monitor your
> > network, and know your underlying systems.
> >
> > Even though struts can be hacked, look at all those .jar files you
> > included and run on your server with high level permissions. Those too
> > can be full of exploits and most of those libs are just downloaded from
> > the net by amateur developers.
> >
> > Eric Reed
> > New York State Department of Education
> >
> >
> >
> >
> >
> > >>> Lukasz Lenart  10/16/2013 7:12 AM >>>
> > Ok, so the only option is got through each security bulletin and check
> > provided Proof-of-Concept if it affects your application. And DMI
> > isn't a problem if used wise.
> >
> > https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
> >
> > 2013/10/16 Sreekanth S. Nair :
> > > Thanks Lukazs, the problem i'm facing now is our product is so huge
> > to do a
> > > migration and running mainly on DMI. I'm unable to convince my top
> > > management about how bad strust2 vulnerability is (since i dont know
> > how to
> > > replicate the vulnerability). So I have no choice other than option
> > 2.
> > >
> > > --
> > > Thanks & Regards
> > > Srikanth
> > > Software Developer
> > > 
> > > eGovernments Foundations
> > > www.egovernments.org
> > > Mob : 9980078913
> > > 
> > >
> > >
> > > On W

RE: Steps Involved in counter measurement for security issues

2013-10-16 Thread Martin Gainty 
all initial points of contact to your site should go thru a login process with 
a public key backed by a cert provided by vendor(you)

 

if the cert was self-signed or the key is forged you should return a 401
if the JSSE Key exchange is successful  then yourm session will be assigned  a 
secure token valid only for that Session

and you will now exchange information on SSLv3/TLS Transport which ever 
connector is assigned to handle Secure Traffic


The assigned Session-Token would "follow you" thru the system and if your 
tokens Principal was not in Role for the page or resource then client sees a 
403ed (Forbidden) coming from you
if ANYTHING does happen to your Session (invalidate or timeout) ...you 
invalidate the secure Token as well

attempts to hack the Token by reading cookies wouldnt work either as each 
assigned Token is calc'ed off of JSESSION-ID by an algo than changes at random 
intervals
SSLv3/TLS algos change on random intervals..so a cipher/algo worked for One 
session would not work the next session

Both Encryption and Decryption Algorithms as well as their respective Salt 
length would change at random intervals
If you are a Math whiz and you developed an algo SSL/TLS encrypt algo going up 
it would not work for the algo coming down ...Each entity's update schedule is 
orthogonal meaning that any entity cannot and should not necessarily be able to 
be derived from another known entity (by conventional means)

Moreover since most crypto algos are migrating from symmetric (same algo for 
encryption and decryption) to asymetric (differing algos for encryption and 
decryption) the work you put into creating one non-repudiating algo for 
encrypting does not necessarily dovetail to crack'ing the second 
algo...http://en.wikipedia.org/wiki/Assymetric_key_cryptography

the algos can be and are oftentimes different as seen here

Browser->Algo1->Server  

vs

Browser<-Algo2<--Server 

 

"how bad strust2 vulnerability is"...

last time i checked this is not "strust2" list


Regards,
Martin
__ 


  



> Date: Wed, 16 Oct 2013 08:21:28 -0400
> From: ere...@mail.nysed.gov
> To: user@struts.apache.org
> Subject: Re: Steps Involved in counter measurement for security issues
> 
> First of all, security on web applications is of a concern but not as
> much as one would think. 
> 
> To find all the security vulnerabilities within any application, or
> framework, one would find all the entry points which allow user
> provided data. This could be a field, a protocol, etc. and then one
> would "fuzz" this process until the program crashed. 
> 
> Not only does a hacker need to crash the program, but hacking also
> requires knowledge by the attacker of the underlying operating system
> and what version it is. Most web applications run in a virtual
> environment with proxies between the real server and the user, so just
> finding out what to attack is hard if the network is properly
> configured. 
> 
> Certainly something to consider but you will probably never find all
> the vulnerabilities, it's a much better approach to monitor your
> network, and know your underlying systems. 
> 
> Even though struts can be hacked, look at all those .jar files you
> included and run on your server with high level permissions. Those too
> can be full of exploits and most of those libs are just downloaded from
> the net by amateur developers. 
> 
> Eric Reed
> New York State Department of Education
> 
> 
> 
> 
> 
> >>> Lukasz Lenart  10/16/2013 7:12 AM >>>
> Ok, so the only option is got through each security bulletin and check
> provided Proof-of-Concept if it affects your application. And DMI
> isn't a problem if used wise.
> 
> https://cwiki.apache.org/confluence/display/WW/Security+Bulletins 
> 
> 2013/10/16 Sreekanth S. Nair :
> > Thanks Lukazs, the problem i'm facing now is our product is so huge
> to do a
> > migration and running mainly on DMI. I'm unable to convince my top
> > management about how bad strust2 vulnerability is (since i dont know
> how to
> > replicate the vulnerability). So I have no choice other than option
> 2.
> >
> > --
> > Thanks & Regards
> > Srikanth
> > Software Developer
> > 
> > eGovernments Foundations
> > www.egovernments.org 
> > Mob : 9980078913
> > 
> >
> >
> > On Wed, Oct 16, 2013 at 4:22 PM, Umesh Awasthi
> wrote:
> >
> >> I do not think that is possible.
> >> You have 2 options
> >>
> >> 1. Upgrade you struts2 version.
> >> 2. Go through security vulnerability and see what was there and
> create test
> >> cases to see what exactly is happening and fix them by checking
> patches.
> >>
> >> But IMO, upgrading to latest version is much more flexible and less
> time
> >> consuming than going through each and every vulnerability and
> applying
> >> fixes for them.
> >>
> >>
> >> On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair <
> >> sreekanth.n...@egovernments.org> wrote:
> >>

Re: [ANN] Struts 2.3.15.2 GA release available - security fix

2013-10-16 Thread Lukasz Lenart 
2013/10/16 Greg Lindholm :
> Is there any estimated time of release for 2.3.15.3?

Under Vote till today's evening, then pushed to central, then site
update and done :-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: [ANN] Struts 2.3.15.2 GA release available - security fix

2013-10-16 Thread Lukasz Lenart 
2013/10/16 Markus Fischer :
> Hi Łukasz,
>
>> The latest version is here:
>> http://people.apache.org/builds/struts/2.3.15.3
>
> thanks for the update and the quick turnaround on this.
>
> I can confirm that with Struts-2.3.15.3, my issues with "action:"
> buttons are fixed. I. e., Backward Compatibility for applications using
> the "action:" prefix as stated in S2-018 is restored.

SuperB! Thanks a lot!


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: [ANN] Struts 2.3.15.2 GA release available - security fix

2013-10-16 Thread Greg Lindholm 
Is there any estimated time of release for 2.3.15.3?


On Wed, Oct 16, 2013 at 9:23 AM, Markus Fischer wrote:

> Hi Łukasz,
>
> > The latest version is here:
> > http://people.apache.org/builds/struts/2.3.15.3
>
> thanks for the update and the quick turnaround on this.
>
> I can confirm that with Struts-2.3.15.3, my issues with "action:"
> buttons are fixed. I. e., Backward Compatibility for applications using
> the "action:" prefix as stated in S2-018 is restored.
>
> Many thanks!
> Markus
>
> http://struts.apache.org/release/2.3.x/docs/s2-018.html
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: [ANN] Struts 2.3.15.2 GA release available - security fix

2013-10-16 Thread Markus Fischer 
Hi Łukasz,

> The latest version is here:
> http://people.apache.org/builds/struts/2.3.15.3

thanks for the update and the quick turnaround on this.

I can confirm that with Struts-2.3.15.3, my issues with "action:"
buttons are fixed. I. e., Backward Compatibility for applications using
the "action:" prefix as stated in S2-018 is restored.

Many thanks!
Markus

http://struts.apache.org/release/2.3.x/docs/s2-018.html


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: "Cancel" button is not redirecting

2013-10-16 Thread Antonio Sánchez 

Thanks!

El 16/10/2013 07:37 a.m., Lukasz Lenart escribió:

Yes, I have downgraded to 2.3.15.1 and it will be fixed in 2.3.15.3

2013/10/16 Antonio Sánchez :

So, is it still possible to render a cancel button in 2.3.15.2? Or must
downgrade to 2.3.15.1? Will the bug be fixed in 15.3?

El Miércoles, 16 de Octubre de 2013 02:35:06 a.m., Lukasz Lenart escribió:

2013/10/15 Antonio Sánchez :

Set to false.

But having same results set to true.

I'm using action="index" approach. Now, cancel always launches 404.


It was related to bug in 2.3.15.2, now with 2.3.15.1 works fine!


Regards




-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Eric Reed 
First of all, security on web applications is of a concern but not as
much as one would think. 

To find all the security vulnerabilities within any application, or
framework, one would find all the entry points which allow user
provided data. This could be a field, a protocol, etc. and then one
would "fuzz" this process until the program crashed. 

Not only does a hacker need to crash the program, but hacking also
requires knowledge by the attacker of the underlying operating system
and what version it is. Most web applications run in a virtual
environment with proxies between the real server and the user, so just
finding out what to attack is hard if the network is properly
configured. 

Certainly something to consider but you will probably never find all
the vulnerabilities, it's a much better approach to monitor your
network, and know your underlying systems. 

Even though struts can be hacked, look at all those .jar files you
included and run on your server with high level permissions. Those too
can be full of exploits and most of those libs are just downloaded from
the net by amateur developers. 

Eric Reed
New York State Department of Education





>>> Lukasz Lenart  10/16/2013 7:12 AM >>>
Ok, so the only option is got through each security bulletin and check
provided Proof-of-Concept if it affects your application. And DMI
isn't a problem if used wise.

https://cwiki.apache.org/confluence/display/WW/Security+Bulletins 

2013/10/16 Sreekanth S. Nair :
> Thanks Lukazs, the problem i'm facing now is our product is so huge
to do a
> migration and running mainly on DMI. I'm unable to convince my top
> management about how bad strust2 vulnerability is (since i dont know
how to
> replicate the vulnerability). So I have no choice other than option
2.
>
> --
> Thanks & Regards
> Srikanth
> Software Developer
> 
> eGovernments Foundations
> www.egovernments.org 
> Mob : 9980078913
> 
>
>
> On Wed, Oct 16, 2013 at 4:22 PM, Umesh Awasthi
wrote:
>
>> I do not think that is possible.
>> You have 2 options
>>
>> 1. Upgrade you struts2 version.
>> 2. Go through security vulnerability and see what was there and
create test
>> cases to see what exactly is happening and fix them by checking
patches.
>>
>> But IMO, upgrading to latest version is much more flexible and less
time
>> consuming than going through each and every vulnerability and
applying
>> fixes for them.
>>
>>
>> On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair <
>> sreekanth.n...@egovernments.org> wrote:
>>
>> > Test Case to test the security vulnerability (major ones) in
>> > struts2-core-2.1.2.
>> >
>> > --
>> > Thanks & Regards
>> > Srikanth
>> > Software Developer
>> > 
>> > eGovernments Foundations
>> > www.egovernments.org 
>> > Mob : 9980078913
>> > 
>> >
>> >
>> > On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart
> > >wrote:
>> >
>> > > 2013/10/16 Sreekanth S. Nair :
>> > > > One more doubt, does this security vulnerability is able to
bring
>> down
>> > > the
>> > > > server :-) ? If we authorize ourselves to apache, is it
possible for
>> > > struts
>> > > > team to give us test case to check the vulnerability?
>> > >
>> > > What you mean by that? What test case you refer to?
>> > >
>> > >
>> > > Regards
>> > > --
>> > > Łukasz
>> > > + 48 606 323 122 http://www.lenart.org.pl/ 
>> > >
>> > >
-
>> > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org 
>> > > For additional commands, e-mail: user-h...@struts.apache.org 
>> > >
>> > >
>> >
>>
>>
>>
>> --
>> With Regards
>> Umesh Awasthi
>> http://www.travellingrants.com/ 
>>

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org 
For additional commands, e-mail: user-h...@struts.apache.org 



-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: "Cancel" button is not redirecting

2013-10-16 Thread Lukasz Lenart 
Yes, I have downgraded to 2.3.15.1 and it will be fixed in 2.3.15.3

2013/10/16 Antonio Sánchez :
> So, is it still possible to render a cancel button in 2.3.15.2? Or must
> downgrade to 2.3.15.1? Will the bug be fixed in 15.3?
>
> El Miércoles, 16 de Octubre de 2013 02:35:06 a.m., Lukasz Lenart escribió:
>>
>> 2013/10/15 Antonio Sánchez :
>>>
>>> Set to false.
>>>
>>> But having same results set to true.
>>>
>>> I'm using action="index" approach. Now, cancel always launches 404.
>>
>>
>> It was related to bug in 2.3.15.2, now with 2.3.15.1 works fine!
>>
>>
>> Regards
>
>
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: "Cancel" button is not redirecting

2013-10-16 Thread Antonio Sánchez 
So, is it still possible to render a cancel button in 2.3.15.2? Or must 
downgrade to 2.3.15.1? Will the bug be fixed in 15.3?


El Miércoles, 16 de Octubre de 2013 02:35:06 a.m., Lukasz Lenart 
escribió:

2013/10/15 Antonio Sánchez :

Set to false.

But having same results set to true.

I'm using action="index" approach. Now, cancel always launches 404.


It was related to bug in 2.3.15.2, now with 2.3.15.1 works fine!


Regards




-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Lukasz Lenart 
Ok, so the only option is got through each security bulletin and check
provided Proof-of-Concept if it affects your application. And DMI
isn't a problem if used wise.

https://cwiki.apache.org/confluence/display/WW/Security+Bulletins

2013/10/16 Sreekanth S. Nair :
> Thanks Lukazs, the problem i'm facing now is our product is so huge to do a
> migration and running mainly on DMI. I'm unable to convince my top
> management about how bad strust2 vulnerability is (since i dont know how to
> replicate the vulnerability). So I have no choice other than option 2.
>
> --
> Thanks & Regards
> Srikanth
> Software Developer
> 
> eGovernments Foundations
> www.egovernments.org
> Mob : 9980078913
> 
>
>
> On Wed, Oct 16, 2013 at 4:22 PM, Umesh Awasthi wrote:
>
>> I do not think that is possible.
>> You have 2 options
>>
>> 1. Upgrade you struts2 version.
>> 2. Go through security vulnerability and see what was there and create test
>> cases to see what exactly is happening and fix them by checking patches.
>>
>> But IMO, upgrading to latest version is much more flexible and less time
>> consuming than going through each and every vulnerability and applying
>> fixes for them.
>>
>>
>> On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair <
>> sreekanth.n...@egovernments.org> wrote:
>>
>> > Test Case to test the security vulnerability (major ones) in
>> > struts2-core-2.1.2.
>> >
>> > --
>> > Thanks & Regards
>> > Srikanth
>> > Software Developer
>> > 
>> > eGovernments Foundations
>> > www.egovernments.org
>> > Mob : 9980078913
>> > 
>> >
>> >
>> > On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart > > >wrote:
>> >
>> > > 2013/10/16 Sreekanth S. Nair :
>> > > > One more doubt, does this security vulnerability is able to bring
>> down
>> > > the
>> > > > server :-) ? If we authorize ourselves to apache, is it possible for
>> > > struts
>> > > > team to give us test case to check the vulnerability?
>> > >
>> > > What you mean by that? What test case you refer to?
>> > >
>> > >
>> > > Regards
>> > > --
>> > > Łukasz
>> > > + 48 606 323 122 http://www.lenart.org.pl/
>> > >
>> > > -
>> > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> > > For additional commands, e-mail: user-h...@struts.apache.org
>> > >
>> > >
>> >
>>
>>
>>
>> --
>> With Regards
>> Umesh Awasthi
>> http://www.travellingrants.com/
>>

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
I don't mean it like that, but something like a proof of concept
like http://struts.apache.org/release/2.3.x/docs/s2-016.html


-- 
Thanks & Regards
Srikanth
Software Developer

eGovernments Foundations
www.egovernments.org
Mob : 9980078913



On Wed, Oct 16, 2013 at 4:30 PM, Lukasz Lenart wrote:

> 2013/10/16 Sreekanth S. Nair :
> > Test Case to test the security vulnerability (major ones) in
> > struts2-core-2.1.2.
>
> Everything you can find is in Struts repository, it's Open Source not
> a close code software ;-)
>
> And there is no the "test" which magically checks security
> vulnerabilities, even security scans we get from time to time are
> mostly useless without deep knowledge of Struts internals (tests/scans
> don't perform impact analysis). If you know that tool, I will be happy
> to use it.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Lukasz Lenart 
2013/10/16 Sreekanth S. Nair :
> Test Case to test the security vulnerability (major ones) in
> struts2-core-2.1.2.

Everything you can find is in Struts repository, it's Open Source not
a close code software ;-)

And there is no the "test" which magically checks security
vulnerabilities, even security scans we get from time to time are
mostly useless without deep knowledge of Struts internals (tests/scans
don't perform impact analysis). If you know that tool, I will be happy
to use it.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
Thanks Lukazs, the problem i'm facing now is our product is so huge to do a
migration and running mainly on DMI. I'm unable to convince my top
management about how bad strust2 vulnerability is (since i dont know how to
replicate the vulnerability). So I have no choice other than option 2.

-- 
Thanks & Regards
Srikanth
Software Developer

eGovernments Foundations
www.egovernments.org
Mob : 9980078913



On Wed, Oct 16, 2013 at 4:22 PM, Umesh Awasthi wrote:

> I do not think that is possible.
> You have 2 options
>
> 1. Upgrade you struts2 version.
> 2. Go through security vulnerability and see what was there and create test
> cases to see what exactly is happening and fix them by checking patches.
>
> But IMO, upgrading to latest version is much more flexible and less time
> consuming than going through each and every vulnerability and applying
> fixes for them.
>
>
> On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair <
> sreekanth.n...@egovernments.org> wrote:
>
> > Test Case to test the security vulnerability (major ones) in
> > struts2-core-2.1.2.
> >
> > --
> > Thanks & Regards
> > Srikanth
> > Software Developer
> > 
> > eGovernments Foundations
> > www.egovernments.org
> > Mob : 9980078913
> > 
> >
> >
> > On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart  > >wrote:
> >
> > > 2013/10/16 Sreekanth S. Nair :
> > > > One more doubt, does this security vulnerability is able to bring
> down
> > > the
> > > > server :-) ? If we authorize ourselves to apache, is it possible for
> > > struts
> > > > team to give us test case to check the vulnerability?
> > >
> > > What you mean by that? What test case you refer to?
> > >
> > >
> > > Regards
> > > --
> > > Łukasz
> > > + 48 606 323 122 http://www.lenart.org.pl/
> > >
> > > -
> > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > > For additional commands, e-mail: user-h...@struts.apache.org
> > >
> > >
> >
>
>
>
> --
> With Regards
> Umesh Awasthi
> http://www.travellingrants.com/
>

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Umesh Awasthi 
I do not think that is possible.
You have 2 options

1. Upgrade you struts2 version.
2. Go through security vulnerability and see what was there and create test
cases to see what exactly is happening and fix them by checking patches.

But IMO, upgrading to latest version is much more flexible and less time
consuming than going through each and every vulnerability and applying
fixes for them.


On Wed, Oct 16, 2013 at 4:17 PM, Sreekanth S. Nair <
sreekanth.n...@egovernments.org> wrote:

> Test Case to test the security vulnerability (major ones) in
> struts2-core-2.1.2.
>
> --
> Thanks & Regards
> Srikanth
> Software Developer
> 
> eGovernments Foundations
> www.egovernments.org
> Mob : 9980078913
> 
>
>
> On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart  >wrote:
>
> > 2013/10/16 Sreekanth S. Nair :
> > > One more doubt, does this security vulnerability is able to bring down
> > the
> > > server :-) ? If we authorize ourselves to apache, is it possible for
> > struts
> > > team to give us test case to check the vulnerability?
> >
> > What you mean by that? What test case you refer to?
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > For additional commands, e-mail: user-h...@struts.apache.org
> >
> >
>



-- 
With Regards
Umesh Awasthi
http://www.travellingrants.com/

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
Test Case to test the security vulnerability (major ones) in
struts2-core-2.1.2.

-- 
Thanks & Regards
Srikanth
Software Developer

eGovernments Foundations
www.egovernments.org
Mob : 9980078913



On Wed, Oct 16, 2013 at 4:15 PM, Lukasz Lenart wrote:

> 2013/10/16 Sreekanth S. Nair :
> > One more doubt, does this security vulnerability is able to bring down
> the
> > server :-) ? If we authorize ourselves to apache, is it possible for
> struts
> > team to give us test case to check the vulnerability?
>
> What you mean by that? What test case you refer to?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Lukasz Lenart 
2013/10/16 Sreekanth S. Nair :
> One more doubt, does this security vulnerability is able to bring down the
> server :-) ? If we authorize ourselves to apache, is it possible for struts
> team to give us test case to check the vulnerability?

What you mean by that? What test case you refer to?


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
One more doubt, does this security vulnerability is able to bring down the
server :-) ? If we authorize ourselves to apache, is it possible for struts
team to give us test case to check the vulnerability?

-- 
Thanks & Regards
Srikanth
Software Developer

eGovernments Foundations
www.egovernments.org
Mob : 9980078913



On Wed, Oct 16, 2013 at 3:34 PM, Sreekanth S. Nair <
sreekanth.n...@egovernments.org> wrote:

> Hi,
> Thanks Lukazs,  but that's too much of task to compare rather i can
> migrate ;-). Thanks Antonios, i will refer those links.
>
>
>
> --
> Thanks & Regards
> sreekanth
> 
>
>
> On Wed, Oct 16, 2013 at 3:25 PM, Antonios Gkogkakis wrote:
>
>> Hi Sreekanth,
>>
>> Lukasz beat me!
>>
>> If you don't want to upgrade you should at least check the security
>> bulletins
>> http://struts.apache.org/release/2.2.x/docs/security-bulletins.html
>> http://struts.apache.org/release/2.3.x/docs/security-bulletins.html
>>
>> see which vulnerabilities affect you and follow the instructions to
>> resolve
>> them.
>>
>>
>>
>> On 16 October 2013 10:48, Sreekanth S. Nair <
>> sreekanth.n...@egovernments.org
>> > wrote:
>>
>> > Hi,
>> > Due to time and other internal constraints, we are unable to upgrade
>> > strust2 to the latest version. So i would like to know if we use old
>> > strust2 distro (in my case : struts2-core-2.1.2), what are the counter
>> > measurement need to taken care?
>> >
>> > Regards
>> >
>>
>
>

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
Hi,
Thanks Lukazs,  but that's too much of task to compare rather i can
migrate ;-). Thanks Antonios, i will refer those links.



-- 
Thanks & Regards
sreekanth



On Wed, Oct 16, 2013 at 3:25 PM, Antonios Gkogkakis  wrote:

> Hi Sreekanth,
>
> Lukasz beat me!
>
> If you don't want to upgrade you should at least check the security
> bulletins
> http://struts.apache.org/release/2.2.x/docs/security-bulletins.html
> http://struts.apache.org/release/2.3.x/docs/security-bulletins.html
>
> see which vulnerabilities affect you and follow the instructions to resolve
> them.
>
>
>
> On 16 October 2013 10:48, Sreekanth S. Nair <
> sreekanth.n...@egovernments.org
> > wrote:
>
> > Hi,
> > Due to time and other internal constraints, we are unable to upgrade
> > strust2 to the latest version. So i would like to know if we use old
> > strust2 distro (in my case : struts2-core-2.1.2), what are the counter
> > measurement need to taken care?
> >
> > Regards
> >
>

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Antonios Gkogkakis 
Hi Sreekanth,

Lukasz beat me!

If you don't want to upgrade you should at least check the security
bulletins
http://struts.apache.org/release/2.2.x/docs/security-bulletins.html
http://struts.apache.org/release/2.3.x/docs/security-bulletins.html

see which vulnerabilities affect you and follow the instructions to resolve
them.



On 16 October 2013 10:48, Sreekanth S. Nair  wrote:

> Hi,
> Due to time and other internal constraints, we are unable to upgrade
> strust2 to the latest version. So i would like to know if we use old
> strust2 distro (in my case : struts2-core-2.1.2), what are the counter
> measurement need to taken care?
>
> Regards
>

Re: Steps Involved in counter measurement for security issues

2013-10-16 Thread Lukasz Lenart 
Though task ;-)

The only option is to analyse what kind of vulnerabilities were
discovered after and which of them can potentially affect your version
(given vulnerable functionality exists in your version you use right
now).

https://cwiki.apache.org/confluence/display/WW/Migration+Guide

2013/10/16 Sreekanth S. Nair :
> Hi,
> Due to time and other internal constraints, we are unable to upgrade
> strust2 to the latest version. So i would like to know if we use old
> strust2 distro (in my case : struts2-core-2.1.2), what are the counter
> measurement need to taken care?
>
> Regards

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Steps Involved in counter measurement for security issues

2013-10-16 Thread Sreekanth S. Nair 
Hi,
Due to time and other internal constraints, we are unable to upgrade
strust2 to the latest version. So i would like to know if we use old
strust2 distro (in my case : struts2-core-2.1.2), what are the counter
measurement need to taken care?

Regards

Re: "Cancel" button is not redirecting

2013-10-16 Thread Lukasz Lenart 
2013/10/15 Antonio Sánchez :
> Set to false.
>
> But having same results set to true.
>
> I'm using action="index" approach. Now, cancel always launches 404.

It was related to bug in 2.3.15.2, now with 2.3.15.1 works fine!


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: No Configuration Error Struts2

2013-10-16 Thread Lukasz Lenart 
Hm too old as for me, so I don't know, try Yaragalla Muralidhar's
solution though.

2013/10/16 Srimuralidharan S :
> my struts 2 version is 2.0.11
> On 10/16/2013 12:51 PM, Lukasz Lenart wrote:
>>
>> Struts 2 version?
>>
>> 2013/10/16 Srimuralidharan S:
>>>
>>> Hi to all,
>>>   I'm using struts 2 framework with the following
>>> configuration i
>>> received the following warning and my application doesn't works
>>>   [Form] No configuration found for the specified action: '/' in
>>> namespace:
>>> ''. Form action defaulting to 'action' attribute's literal value.
>>>
>>>
>>> my struts.xml
>>> 
>>> >> "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
>>> "http://struts.apache.org/dtds/struts-2.0.dtd";>
>>> 
>>> 
>>> 
>>> 
>>> /error.jsp
>>> /invalid.jsp
>>> 
>>> 
>>> /index.jsp
>>> 
>>> >> "com.dhyan.db.DbAccess">
>>> /view.jsp
>>> /invalid2.jsp
>>> 
>>> 
>>> /inserted.jsp
>>> 
>>> 
>>> 
>>
>> You can add
>>
>>
>> http://struts.apache.org/release/2.3.x/docs/action-configuration.html#ActionConfiguration-ActionDefault
>>>
>>> 
>>> struts2
>>>
>>> org.apache.struts2.dispatcher.FilterDispatcher
>>> 
>>
>> That filter is deprecated since 2.1.3
>>
>>
>> Regards
>
>
>
> --
> Regards,
> Srimuralidharan.S
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Using multiple @Inject in constructor giving run time error

2013-10-16 Thread Lukasz Lenart 
> Thanks!!
> I am wondering why it is working fine for other case?
> I was expecting that Struts2 will convert it for me ;)

Rather Guice ;-) But maybe with Guice3 there be no problem ;-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Using multiple @Inject in constructor giving run time error

2013-10-16 Thread Umesh Awasthi 
Thanks!!
I am wondering why it is working fine for other case?
I was expecting that Struts2 will convert it for me ;)

Thanks
Umesh


On Wed, Oct 16, 2013 at 12:54 PM, Lukasz Lenart wrote:

> 2013/10/16 Umesh Awasthi :
> > I am trying to inject few values to my bean like
> >
> > @Inject
> > public
> >
> DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
> > String providerClassName,
> >
> > @Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
> > boolean ignoreXMLConfiguration
> >  )
> > {
> > // some code
> >   }
> >
> >
> > Entries from struts-plugin.xml
> >
> > 
> > 
> >
> > but i am getting following exception
> >
> > Caused by:
> > com.opensymphony.xwork2.inject.ContainerImpl$MissingDependencyException:
> No
> > mapping found for dependency [type=boolean,
> name='ignoreXMLConfiguration']
> >
> > how ever if i change it to
> > @Inject
> > public
> >
> DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
> > String providerClassName
> >  )
> > {
> > }
> >
> > @Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
> > public void setIgnoreXMLConfiguration( boolean
> ignoreXMLConfiguration )
> > {
> > this.ignoreXMLConfiguration = ignoreXMLConfiguration;
> > }
> >
> > everything is working fine and dependencies are being injected correctly.
> > I am not sure if where i am doing wrong ?
> > can't i have multiple @inject inside constructor?
>
>  defines String not boolean, try something like this:
>
> @Inject
> public
> DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
> String providerClassName,
>
> @Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
> String ignoreXMLConfiguration) {
>
> this. ignoreXMLConfiguration =
> "true".equalsIgnoreCase(ignoreXMLConfiguration);
>
> }
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>


-- 
With Regards
Umesh Awasthi
http://www.travellingrants.com/

Re: No Configuration Error Struts2

2013-10-16 Thread Srimuralidharan S 

my struts 2 version is 2.0.11
On 10/16/2013 12:51 PM, Lukasz Lenart wrote:

Struts 2 version?

2013/10/16 Srimuralidharan S:

Hi to all,
  I'm using struts 2 framework with the following configuration i
received the following warning and my application doesn't works
  [Form] No configuration found for the specified action: '/' in namespace:
''. Form action defaulting to 'action' attribute's literal value.


my struts.xml

http://struts.apache.org/dtds/struts-2.0.dtd";>




/error.jsp
/invalid.jsp


/index.jsp


/view.jsp
/invalid2.jsp


/inserted.jsp




You can add

http://struts.apache.org/release/2.3.x/docs/action-configuration.html#ActionConfiguration-ActionDefault


struts2
org.apache.struts2.dispatcher.FilterDispatcher


That filter is deprecated since 2.1.3


Regards



--
Regards,
Srimuralidharan.S


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Using multiple @Inject in constructor giving run time error

2013-10-16 Thread Lukasz Lenart 
2013/10/16 Umesh Awasthi :
> I am trying to inject few values to my bean like
>
> @Inject
> public
> DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
> String providerClassName,
>
> @Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
> boolean ignoreXMLConfiguration
>  )
> {
> // some code
>   }
>
>
> Entries from struts-plugin.xml
>
> 
> 
>
> but i am getting following exception
>
> Caused by:
> com.opensymphony.xwork2.inject.ContainerImpl$MissingDependencyException: No
> mapping found for dependency [type=boolean, name='ignoreXMLConfiguration']
>
> how ever if i change it to
> @Inject
> public
> DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
> String providerClassName
>  )
> {
> }
>
> @Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
> public void setIgnoreXMLConfiguration( boolean ignoreXMLConfiguration )
> {
> this.ignoreXMLConfiguration = ignoreXMLConfiguration;
> }
>
> everything is working fine and dependencies are being injected correctly.
> I am not sure if where i am doing wrong ?
> can't i have multiple @inject inside constructor?

 defines String not boolean, try something like this:

@Inject
public 
DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
String providerClassName,
@Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
String ignoreXMLConfiguration) {

this. ignoreXMLConfiguration =
"true".equalsIgnoreCase(ignoreXMLConfiguration);

}


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: No Configuration Error Struts2

2013-10-16 Thread Lukasz Lenart 
Struts 2 version?

2013/10/16 Srimuralidharan S :
> Hi to all,
>  I'm using struts 2 framework with the following configuration i
> received the following warning and my application doesn't works
>  [Form] No configuration found for the specified action: '/' in namespace:
> ''. Form action defaulting to 'action' attribute's literal value.
>
>
> my struts.xml
> 
> "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
>"http://struts.apache.org/dtds/struts-2.0.dtd";>
> 
> 
> 
> 
> /error.jsp
> /invalid.jsp
> 
> 
> /index.jsp
> 
>  "com.dhyan.db.DbAccess">
> /view.jsp
> /invalid2.jsp
> 
> 
> /inserted.jsp
> 
> 
> 

You can add 

http://struts.apache.org/release/2.3.x/docs/action-configuration.html#ActionConfiguration-ActionDefault
> 
> struts2
> org.apache.struts2.dispatcher.FilterDispatcher
> 

That filter is deprecated since 2.1.3


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Using multiple @Inject in constructor giving run time error

2013-10-16 Thread Umesh Awasthi 
I am trying to inject few values to my bean like

@Inject
public
DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
String providerClassName,

@Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
boolean ignoreXMLConfiguration
 )
{
// some code
  }


Entries from struts-plugin.xml




but i am getting following exception

Caused by:
com.opensymphony.xwork2.inject.ContainerImpl$MissingDependencyException: No
mapping found for dependency [type=boolean, name='ignoreXMLConfiguration']

how ever if i change it to
@Inject
public
DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
String providerClassName
 )
{
}

@Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
public void setIgnoreXMLConfiguration( boolean ignoreXMLConfiguration )
{
this.ignoreXMLConfiguration = ignoreXMLConfiguration;
}

everything is working fine and dependencies are being injected correctly.
I am not sure if where i am doing wrong ?
can't i have multiple @inject inside constructor?



-- 
With Regards
Umesh Awasthi
http://www.travellingrants.com/

Re: No Configuration Error Struts2

2013-10-16 Thread Yaragalla Muralidhar 
try the following



instead of



You forgot to add namespace to your "package". Hope this solves ur problem.

*Thanks and Regards,*
Muralidhar Yaragalla.
*http://yaragalla.blogspot.in/
*


On Wed, Oct 16, 2013 at 12:30 PM, Srimuralidharan S <
srimuralidhara...@dhyanit.com> wrote:

> Hi to all,
>  I'm using struts 2 framework with the following configuration
> i received the following warning and my application doesn't works
>  [Form] No configuration found for the specified action: '/' in namespace:
> ''. Form action defaulting to 'action' attribute's literal value.
>
>
> my struts.xml
> 
> "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
>
> "http://struts.apache.org/**dtds/struts-2.0.dtd
> ">
> 
> 
> 
> 
> /error.jsp
> /invalid.jsp
> 
> 
> /index.jsp
> 
>   "com.dhyan.db.DbAccess">
> /view.jsp
> /invalid2.jsp
> 
> 
> /inserted.jsp
> 
> 
> 
>
>
>
> my index.jsp
> <%@ page language="java" contentType="text/html; charset=UTF-8"
> pageEncoding="UTF-8"%>
> <%@ taglib prefix = "st" uri = "/struts-tags" %>
>  http://www.w3.org/TR/html4/**loose.dtd
> ">
> 
> 
> 
> Database Access
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
>
>
>
> my web.xml
> 
>  xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance"
> xmlns="http://java.sun.com/**xml/ns/javaee"
> xmlns:web="http://java.sun.**com/xml/ns/javaee/web-app_2_5.**xsd"
> xsi:schemaLocation="http://**java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/**javaee/web-app_2_5.xsd"
> id="WebApp_ID" version="2.5">
> dbcon
> 
> index.jsp
> 
>
> 
> struts2
> org.apache.**struts2.dispatcher.**FilterDispatcher *class>
> 
>
> 
> struts2
> /*
> 
> 
>
>
> Please help me in to overcome this problem
> --
> Regards,
> Srimuralidharan.S
>
>
> --**--**-
> To unsubscribe, e-mail: 
> user-unsubscribe@struts.**apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

No Configuration Error Struts2

2013-10-16 Thread Srimuralidharan S 

Hi to all,
 I'm using struts 2 framework with the following 
configuration i received the following warning and my application 
doesn't works
 [Form] No configuration found for the specified action: '/' in 
namespace: ''. Form action defaulting to 'action' attribute's literal value.



my struts.xml

http://struts.apache.org/dtds/struts-2.0.dtd";>




/error.jsp
/invalid.jsp


/index.jsp

"com.dhyan.db.DbAccess">

/view.jsp
/invalid2.jsp


/inserted.jsp






my index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib prefix = "st" uri = "/struts-tags" %>
"http://www.w3.org/TR/html4/loose.dtd";>




Database Access
















my web.xml

http://www.w3.org/2001/XMLSchema-instance"; 
xmlns="http://java.sun.com/xml/ns/javaee"; 
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; id="WebApp_ID" 
version="2.5">

dbcon

index.jsp



struts2
org.apache.struts2.dispatcher.FilterDispatcher



struts2
/*




Please help me in to overcome this problem
--
Regards,
Srimuralidharan.S


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org