struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: OGNL expressions in headers and parameters
Date Mon, 13 Mar 2017 09:48:30 GMT
2017-03-13 10:43 GMT+01:00 Tamás Barta <bartatamas@gmail.com>:
> Interesting, I don't do such things. I write down the stack trace from
> where it is executed (in 2.5.2).
> This is the interesting part, there is no my code there.
>
> StrutsPrepareAndExecuteFilter:100                       // boolean handled
> = execute.executeStaticResourceRequest(request, response);
> ->
> ExecuteOperations:59
>  // StaticContentLoader staticResourceLoader =
> dispatcher.getContainer().getInstance(StaticContentLoader.class);
> ->
> Dispatcher:897                                                       //
> Configuration config = mgr.getConfiguration();
> ->
> ConfigurationManager:73
> // conditionalReload();
> ->
> OgnlValueStackFactory:64
> // container.inject(stack);
> ...
>
> I tried this test script and put breakpoint in
> OgnlUtil.getExcludedClasses():
> https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

but this is a vulnerability, a bug which was already fixed. We also
are developers that make mistakes.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message