struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: CVE-2015-5209
Date Mon, 22 Feb 2016 18:32:17 GMT
Hi Brent
apply following regex to exclude vulnerable parameters from Request
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"
https://struts.apache.org/docs/s2-026.html
or upgrade to Struts 2.3.24.1

Good Question!
Martin 
______________________________________________ 
                            


> Date: Mon, 22 Feb 2016 11:10:39 -0700
> Subject: CVE-2015-5209
> From: brentbarker9@gmail.com
> To: user@struts.apache.org
> 
> Hi,
> 
> We are upgrading struts to patch a potential security hole (S2-026
> <https://cwiki.apache.org/confluence/display/WW/S2-026>) I want to ensure
> the vulnerability no longer exists in our application after upgrading to
> v2.3.24.1. Would someone mind pointing me in the right direction to test
> the vulnerability?
> 
> Thanks in advance!
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message