So the statement about Backwards Compatibility on http://struts.apache.org/release/2.3.x/docs/s2-018.html is incorrect?
*Backward Compatibility* After upgrading to Struts >= 2.3.15.2, applications using the "action:" should still work as expected. This doesn't appear to be true. On Wed, Oct 9, 2013 at 5:10 AM, Markus Fischer <markus.fisc...@knipp.de>wrote: > > >> Do you have any idea when the a release fixing the issue can be > >> available? And is there any chance to get more information about the > >> specifics of the vulnerability behind S2-018? > > > > It should be soon, patch is under review. I cannot share any details > > now about the vulnerability. > > Many thanks, Lukasz. > > >> We are currently considering to filter out "action:” elements via URL > >> rewriting, but without knowing any further details we cannot be sure > >> that that will prevent the potential exploit. > > > > I'm not sure what you mean by "filter out by url rewriting" but maybe > > you could share your solution here? And it looks like the right > > direction. > > I'll check if that is feasible and post here if I think it can be useful > for someone else. > > Best regards, > Markus > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
