struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caoilte O'Connor" <>
Subject production use of a Struts 2.0.x website
Date Wed, 13 Oct 2010 14:37:45 GMT
I'm investigating the changes that we will need for production use of
website code base utilizing Struts2..

1) =========================
First of all, we are still using 2.0.x series Struts2. From what I can
tell this means we are theoretically vulnerable to

although this isn't made clear on

However, although I have successfully reproduced CVE-2010-1870 on a
Windows environment, I have been unable to reproduce it on any of our
Linux environments. I don't understand why they would be immune to the
attack and would be very interested in finding out if the attack
should still be reproducible or if anybody else has seen similar
behaviour on any version of Struts2.

2) =========================
Secondly, we haven't applied any "Freemarker" configuration settings
as advised here

I think it was probably assumed that because we use JSP/Struts2 tags
that there wouldn't be any Freemarker to configure. However, I have
seen Freemarker engine classes in thread dumps and given the following
Struts 2.2 only advice here,

it looks like we should

i) Create a file in your WEB-INF/classes directory.
ii) enable Freemarker template caching

Is that correct?

3) =========================
Finally, I fully expect any reply to this email to start by telling me
that we should upgrade to Struts 2.2.1. Would anybody be kind enough
to venture a rough guess of how difficult that would be for us and how
much of a performance increase it could give us. We seem to,
i) have quite a few custom interceptors and chains
ii) make extensive use of most S: and SS: tags in jsp.

Apologies for the interconnected series of questions. Thank you so
much for your time if you are able to answer or comment on any part of


Caoilte O'Connor

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message