struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Struts Two <struts...@yahoo.ca>
Subject Re: [ANN] Struts 2.0.11.2 General Availability Release with Important Security Fix
Date Thu, 31 Jul 2008 13:31:05 GMT
Any new on 2.0.12 release that would contain XWork 2.0.6 for Websphere users?



----- Original Message ----
From: Rene Gielen <rgielen@apache.org>
To: Struts Users Mailing List <user@struts.apache.org>
Sent: Wednesday, July 16, 2008 2:40:38 AM
Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important Security Fix

Apache Struts 2.0.11.2 is now available from
<http://struts.apache.org/download.cgi#struts20112>.

This release is a fast track security fix release, including a security
fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
ParametersInterceptor allowing malicious users to remotely change server
side context objects. For more information about the exploit, visit our
security bulletins page at
<http://struts.apache.org/2.0.11.2/docs/s2-003.html>.

IMPORTANT ADDITIONAL NOTES:
There are two known issues with this release:
1. the integrated XWork 2.0.5 jar may cause problems when used in a
combination of WebSphere 6.1 runtime environments with validation
configuration via XML files.
Possible Workarounds:
- use annotation based validation definition instead XML based
- stay with Struts 2..0.11.1 including XWork 2.0.4, applying the
  following exclude rule to your parameter interceptor refs in
  struts.xml
  <interceptor-ref name="params">
      <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
  </interceptor-ref>
2. the filtering mechanism implemeted in XWork's ParametersInterceptor
to fix the described security issue does not completely avoid any
possible malicious parameter name.
Possible Workaround:
- apply the following exclude rule to your parameter interceptor refs in
  struts.xml to avoid the usage of backslash characters in parameter
  names
  <interceptor-ref name="params">
      <param name="excludeParams">.*\\.*</param>
  </interceptor-ref>
Both issues will be addressed in a soon upcoming XWork 2.0.6 release,
followed by a new Struts 2.0 GA release including this new XWork version.

* All developers are advised to either update Struts 2 applications to
Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the
fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.

For the complete release notes for Struts 2.0.11.2, see
<http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>.


- The Apache Struts Team.





---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


      __________________________________________________________________
Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://ca.promos.yahoo.com/newmail/overview2/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message