I believe the issue should be fixed on 2.1.2 (for Websphere at least), but it still remains an issue for Struts 2.0.11.2 (for Websphere users). See the email below:
----- Original Message ---- From: Rene Gielen <[EMAIL PROTECTED]> To: Struts Users Mailing List <user@struts.apache.org> Sent: Wednesday, July 16, 2008 2:40:38 AM Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important Security Fix Apache Struts 2.0..11.2 is now available from <http://struts.apache.org/download.cgi#struts20112>. This release is a fast track security fix release, including a security fixed version 2.0.5 of XWork, which corrects a serious vulnerability in ParametersInterceptor allowing malicious users to remotely change server side context objects. For more information about the exploit, visit our security bulletins page at <http://struts.apache.org/2.0.11.2/docs/s2-003.html>. IMPORTANT ADDITIONAL NOTES: There are two known issues with this release: 1. the integrated XWork 2.0.5 jar may cause problems when used in a combination of WebSphere 6.1 runtime environments with validation configuration via XML files. Possible Workarounds: - use annotation based validation definition instead XML based - stay with Struts 2.0..11.1 including XWork 2.0.4, applying the following exclude rule to your parameter interceptor refs in struts.xml <interceptor-ref name="params"> <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param> </interceptor-ref> 2. the filtering mechanism implemeted in XWork's ParametersInterceptor to fix the described security issue does not completely avoid any possible malicious parameter name. Possible Workaround: - apply the following exclude rule to your parameter interceptor refs in struts.xml to avoid the usage of backslash characters in parameter names <interceptor-ref name="params"> <param name="excludeParams">.*\\.*</param> </interceptor-ref> Both issues will be addressed in a soon upcoming XWork 2..0.6 release, followed by a new Struts 2.0 GA release including this new XWork version. * All developers are advised to either update Struts 2 applications to Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the fixed xwork-2.0.5.jar to prevent remotety induced context manipulations. For the complete release notes for Struts 2.0.11.2, see <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>. - The Apache Struts Team. __________________________________________________________________ Connect with friends from any web browser - no download required. Try the new Yahoo! Canada Messenger for the Web BETA at http://ca.messenger.yahoo.com/webmessengerpromo.php --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]