struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rene Gielen <>
Subject [ANN] Struts General Availability Release with Important Security Fix
Date Wed, 16 Jul 2008 06:39:01 GMT
Apache Struts is now available from

This release is a fast track security fix release, including a security
fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
ParametersInterceptor allowing malicious users to remotely change server
side context objects. For more information about the exploit, visit our
security bulletins page at

There are two known issues with this release:
1. the integrated XWork 2.0.5 jar may cause problems when used in a
combination of WebSphere 6.1 runtime environments with validation
configuration via XML files.
Possible Workarounds:
- use annotation based validation definition instead XML based
- stay with Struts including XWork 2.0.4, applying the
  following exclude rule to your parameter interceptor refs in
  <interceptor-ref name="params">
      <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
2. the filtering mechanism implemeted in XWork's ParametersInterceptor
to fix the described security issue does not completely avoid any
possible malicious parameter name.
Possible Workaround:
- apply the following exclude rule to your parameter interceptor refs in
  struts.xml to avoid the usage of backslash characters in parameter
  <interceptor-ref name="params">
      <param name="excludeParams">.*\\.*</param>
Both issues will be addressed in a soon upcoming XWork 2.0.6 release,
followed by a new Struts 2.0 GA release including this new XWork version.

* All developers are advised to either update Struts 2 applications to
Struts or manually exchange usages of xwork-2.0.x.jar with the
fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.

For the complete release notes for Struts, see

- The Apache Struts Team.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message