I read through the blog i confused at this statement "n Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code"'
it would be helpful for me if some code explain , thanks in advance. On Wed, Jul 31, 2013 at 6:40 PM, Antonios Gkogkakis <gkogk...@tcd.ie> wrote: > Hi Vicky, > > the .action by itself in the Urls is a good hint. Furthermore, if you check > the html source you'll probably find struts written somewhere e.g., > dojodivs > Antonios > > > On 31 July 2013 14:04, vicky b <vickyb2...@gmail.com> wrote: > > > I browsed through apple site i could not find any clue that it was made > in > > struts, can you please let me know how did the hacker recognized that it > > was developed in struts, secondly how could he exactly hiek , sorry if > this > > is out of scope for this forum > > > > > > On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura <fr...@meruvian.org> > wrote: > > > > > Any apple guy here? > > > > > > I.just want to.know.how.struts.use there. > > > > > > I just know they use .action means struts apps. > > > On Jul 31, 2013 7:22 PM, "Christian Grobmeier" <grobme...@gmail.com> > > > wrote: > > > > > > > I read that. I don't think we should do anything. > > > > > > > > The blog post is speculative. Nobody from Apple did tell us if it was > > > > really a Struts problem or not. If it is, then well, we can't do > > > > anything. This doesn't make Struts a dangerous framework at all, it > > > > just highlights you should update when your framework provider > > > > recommends it. It also highlights we are taking security issues > > > > serious. > > > > > > > > Also it should be mentioned that no company (to my knowledge) is in > > > > any way supporting the development of Struts. Apple got a lot of > > > > money, they could fund the development of the framework of their > > > > choice. At least they should be able to roll out new security > patches. > > > > > > > > Maybe others think different, but except with continuing to improve > > > > struts, we cannot do anything bout it. > > > > > > > > > > > > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura <fr...@meruvian.org> > > > wrote: > > > > > Anyone read this? > > > > > > > > > > http://java.dzone.com/articles/was-struts-responsible-apples > > > > > > > > > > How we handle this? > > > > > > > > > > F > > > > > > > > > > > > > > > > -- > > > > http://www.grobmeier.de > > > > https://www.timeandbill.de > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > > > > > > > > > > > > > -- > > *Thanks & Regards > > Vickyb > > > > * > > > -- *Thanks & Regards Vickyb *
