A follow up to my last message: of course getClass() *is public*, which
makes things even worse. As such, class is an 100% property according to
Java Beans Specification. I would have failed on the job interview :)
- René
Am 26.04.14 12:59, schrieb Rene Gielen:
> Hi Tim,
>
> Am 25.04.14 22:06, s
We have reports of RCE in specific environments. For that reason RCE is
our maximum impact rating.
Am 26.04.14 12:54, schrieb Alexander Georgiev:
> Is the new vuln just a DoS or RCE one? It seems to be "only" a DoS.
>
>
> Am 25. April 2014 23:28:54 schrieb Tim :
>
>>
>> Hi Rene,
>>
>> Thanks fo
Is the new vuln just a DoS or RCE one? It seems to be "only" a DoS.
Am 25. April 2014 23:28:54 schrieb Tim :
Hi Rene,
Thanks for your responses. Keep in mind my criticisms are not
directed soley at you. They are directed at the entire Struts team,
it's practices and culture.
I've been on
Hi Tim,
Am 25.04.14 22:06, schrieb Tim:
>
> Hi Rene,
>
> Thanks for your responses. Keep in mind my criticisms are not
> directed soley at you. They are directed at the entire Struts team,
> it's practices and culture.
I don't know what insights you have to our practices in general and our
cu
Hi Rene,
Thanks for your responses. Keep in mind my criticisms are not
directed soley at you. They are directed at the entire Struts team,
it's practices and culture.
I've been on the front lines with applications who were pwned by
Struts bugs and thousands of users' personal information expos
Also, I'm a tad confused by the regex you have as a stop-gap. For the
readers' convenience:
(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
If your regex evaluatio
Thanks for pointing this out. The mitigation advice is obsolete once the
security patch release currently under review is published. Your point
should be addressed there. We would have delivered the release along
with the announcement if this issues would not have been disclosed already.
Thanks,
R
Hi,
Am 25.04.14 18:52, schrieb Tim:
>
>
> So I have to say, I feel like the Struts team is kind of... failing.
> Here are my gripes:
>
> A) I questioned the last bug fix in the thread here [1], where we
>were all reassured that it was just "ClassLoader manipulation", not
>RCE. Clearly
So I have to say, I feel like the Struts team is kind of... failing.
Here are my gripes:
A) I questioned the last bug fix in the thread here [1], where we
were all reassured that it was just "ClassLoader manipulation", not
RCE. Clearly that's not true.
B) The fix for the last CVE was th
In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately, the correction
wasn't sufficient.
A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.
Once the release is availa
10 matches
Mail list logo