struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Schneider" <>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 17:20:39 GMT
<ww:property value="%{@java.lang.System@currentTimeMillis()}"/> works
for me, so I think a remote execution is definitely possible.
(Something like Runtime.exec would probably cause a lot of problems)

Do we need to filter certain classes/methods?  I'm not sure how else
we would solve this--this could allow someone to do some nasty stuff.

On 7/5/07, Bob Lee <> wrote:
> On 7/5/07, Ing. Andrea Vettori <> wrote:
> >
> > The DoS is because you can trigger an infinite loop.
> My point is, can you execute arbitrary code on the server? If so, a DoS is
> the least of your worries.
> Bob

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message