tiles-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio <antonio.petre...@gmail.com>
Subject [ANN] Security advisory for Tiles 2.1.0 and 2.1.1
Date Thu, 15 Jan 2009 12:50:02 GMT
Dear all,
Tiles 2.1.0 and 2.1.1 have a security bug that can lead to remote
server status exposure.
If you have enabled EL support, EL expressions in JSP using some Tiles
JSP tags are evaluated twice. This problem can lead to XSS and remote
server exposure attacks.
Tiles 2.1.0 and 2.1.1 users are strongly encouraged *not* to deploy
these versions in a production environment and wait until Tiles 2.1.2
is released.
More info about the bug are here:
http://tiles.apache.org/framework/security/security-bulletin-1.html

Best regards
Antonio

Mime
View raw message