Hi Brent
apply following regex to exclude vulnerable parameters from Request
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"
https://struts.apache.org/docs/s2-026.html
or upgrade to Struts 2.3.24.1
Good Question!
Martin
______________________________________________
> Date: Mon, 22 Feb 2016 11:10:39 -0700
> Subject: CVE-2015-5209
> From: brentbark...@gmail.com
> To: user@struts.apache.org
>
> Hi,
>
> We are upgrading struts to patch a potential security hole (S2-026
> <https://cwiki.apache.org/confluence/display/WW/S2-026>) I want to ensure
> the vulnerability no longer exists in our application after upgrading to
> v2.3.24.1. Would someone mind pointing me in the right direction to test
> the vulnerability?
>
> Thanks in advance!
