struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From suresh sadanala <sureshsadanala...@gmail.com>
Subject Re: Use Filter or ParameterInteceptors to pevent S2-032
Date Thu, 28 Apr 2016 07:42:55 GMT
Hi,

We can avoid Dynamic method invocation in the struts.xml file by declaring
below tag,

<constant name="struts.enable.DynamicMethodInvocation" value="false" />

Kindly follow this link for your reference

http://security.coverity.com/blog/2013/Oct/making-struts2-app-more-secure-disable-dynamic-method-invocation.html

Thanks,

Suresh Sadanala.





Regards,
Suresh Sadanala
+91-880 777 9058.

On Thu, Apr 28, 2016 at 10:07 AM, Lukasz Lenart <lukaszlenart@apache.org>
wrote:

> 2016-04-28 3:59 GMT+02:00 mailinglist rs <rsmailinglist93@gmail.com>:
> > Besides using upgrade or disable Dynamic method invocation, can I use
> > Filter or ParameterInteceptors to block request parameters which start
> with
> > "method:" prefix to prevent S2-032?
> > Reference: https://struts.apache.org/docs/s2-032.html
>
> Yes, you can but bear in mind that this vulnerability affects only
> 2.3.20, 2.3.24 and 2.3.28
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message