Return-Path: 
 <user-return-216139-apmail-struts-user-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-user-archive@www.apache.org
Delivered-To: apmail-struts-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0ACC910362
	for <apmail-struts-user-archive@www.apache.org>;
 Tue, 29 Apr 2014 02:02:23 +0000 (UTC)
Received: (qmail 9282 invoked by uid 500); 29 Apr 2014 02:02:20 -0000
Delivered-To: apmail-struts-user-archive@struts.apache.org
Received: (qmail 9257 invoked by uid 500); 29 Apr 2014 02:02:20 -0000
Mailing-List: contact user-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:user-unsubscribe@struts.apache.org>
List-Help: <mailto:user-help@struts.apache.org>
List-Post: <mailto:user@struts.apache.org>
List-Id: "Struts Users Mailing List" <user.struts.apache.org>
Reply-To: "Struts Users Mailing List" <user@struts.apache.org>
Delivered-To: mailing list user@struts.apache.org
Received: (qmail 65155 invoked by uid 99); 26 Apr 2014 10:42:27 -0000
X-ASF-Spam-Status: No, hits=-0.1 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of andy.brennan@openjawtech.com
 designates 64.18.3.38 as permitted sender)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=vVhG/8PAAe9ZxEQribbBsFXXoDx6iBKtwSMfrKRTp88=;
        b=OlRA7fiWV4bXyNR2Dm6ksEEoQ7agYzYL6G6sgZEIacZ4fyUJn6fC9zWPWW1eY9dz/B
         4GcKfAS12shpZLNV6FCYmDYZxCD9aLhd44XUMi0Ro9/LEzbevVan1As08yXnusFqMcSo
         D5YEA8Ag216fbMMjmvP8x46NMql6nMMHGI6lME2WurmcO4dmg6nr4GxCFdZHCWxyRBvo
         F7+pBTsGXyaKyVC0Jsn1HDpt5v/kGaomD2K7+/7ICkJt+a+V2SSmgwEUjFfS8ghQ2Dbj
         TctDsrrBNwGFbrLuWME4f5Gv+Y+/hZQzAdzJTkGj1d7MtfliV5RedwCaXYCAU56dR4Jh
         c13w==
X-Gm-Message-State: 
 ALoCoQnUQplWdhIA2oPHdRLAciMhituDFuVucNpZfztTSYnydIij5z+EfQ/O8v8BarKZUjZVXGSvaUcNmYtI1/EBW/4Om33xstpw8SKYfmSwC8MwzzNiGY3zPfHzYx2Ze9wXNHKbXUqD
X-Received: by 10.58.122.164 with SMTP id lt4mr11764949veb.2.1398508917379;
        Sat, 26 Apr 2014 03:41:57 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.58.122.164 with SMTP id lt4mr11764942veb.2.1398508917280;
 Sat, 26 Apr 2014 03:41:57 -0700 (PDT)
Date: Sat, 26 Apr 2014 11:41:57 +0100
Message-ID: 
 <CADtQ0Ot7e9-cOWNfLgm9KYuRJQNCttsXSqLZUnyy7Eicm5YJPA@mail.gmail.com>
Subject: Struts 1.x vulnerability to S2-020
From: Andrew Brennan <andy.brennan@openjawtech.com>
To: user@struts.apache.org
Content-Type: multipart/alternative; boundary=047d7b2ed2553ae97704f7efbbb3
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7b2ed2553ae97704f7efbbb3
Content-Type: text/plain; charset=UTF-8

Hi,

Can anyone confirm/deny if Struts 1 is vulnerable to this problem?

Thanks,
Andy.

--047d7b2ed2553ae97704f7efbbb3--