On 1/9/07, Bruno Melloni <[EMAIL PROTECTED]> wrote:
Yes, I know this is embarassing, but my company still uses Struts 1.1...
because of a RAD6 dependency.
Somebody just mentioned that there is a security hole in Struts 1.1.
When I searched for it, I did find a reference to it in a pre-1.3
discussion, but no details. It seemed to be a vulnerability to a DOS
attack.
So, the question is: Did the security hole exist? If it did, was it
fixed in 1.1 or only in the more recent versions of Struts?
There were two Struts 1.2.x releases which fixed security holes (1.2.8
and 1.2.9) - we didn't look at 1.1 so they may or not exist there (my
guess is that they probably do).
Details and links to the issues are in the release notes for 1.2.8 and 1.2.9
http://struts.apache.org/1.2.9/userGuide/release-notes.html
http://struts.apache.org/1.2.9/userGuide/release-notes-1.2.8.html
Details of the 1.2.8 issue are here:
http://wiki.apache.org/struts/StrutsXssVulnerability
Relevant Jira Issue tickets for the 1.2.9 release (we moved from
Bugziall to Jira since those releases) are here:
https://issues.apache.org/struts/browse/STR-2742
https://issues.apache.org/struts/browse/STR-2765
https://issues.apache.org/struts/browse/STR-2781
Niall
Bruno
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
