struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emi <em...@encs.concordia.ca>
Subject Re: Struts 2.3 fix for s2-052?
Date Wed, 06 Sep 2017 14:12:00 GMT
Hello,
> I finally read your email where you gave the dist URL for the dev release.
This is the release that I should use for 2.3 right?

https://dist.apache.org/repos/dist/dev/struts/2.3.34/

Thanks.
> I tested against the struts2-rest-showcase app, a URL that was vulnerable
> in other versions.
>
> I also manually built just struts2-core, rest-plugin, config-browser, and
> rest-showcase apps, and attempted the exploit against that as well, and
> that also gave the exception around class permissions (the exception it
> should throw when deserialization attempts to instantiate a non-allowed
> class).
>
> On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lukaszlenart@apache.org>
> wrote:
>
>> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lukaszlenart@apache.org>:
>>> Here is the full info
>>> http://markmail.org/message/5xuhb2vwc7iagjjr
>> William, how does your test pass?
>>
>>
>> Regards
>> --
>> Ɓukasz
>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message