You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by vivek verma <vi...@yahoo.com.INVALID> on 2016/05/06 07:43:49 UTC
Security vulnerabilities on using strut2-struts1-plugin-2.3.28.1
Hi,
Our project is developed on Struts 1.1 and has been running without any issues for the past several years. Due to EOL anouncement for struts 1.x we are planning to move to Struts 2. As per the migration strategies stated, we are planning to use struts2-struts1-plugin-2.3.28.1.jar in our system and for any new development we are planning to use Struts 2 framework.
With regard to this, we have the following queries:-1)If we are using this plugin would security vulnerabilities reported on struts 1.x, struts 2.x get mitigated since we would be using struts 2.3.28 to handle the incoming request first and delegating to struts-1.3.10 classes internally.
2)If above is not so, any recommendations on when to use this plugin.
Thanks,Vivek
Re: Security vulnerabilities on using strut2-struts1-plugin-2.3.28.1
Posted by Christoph Nenning <Ch...@lex-com.net>.
> Hi,
> Our project is developed on Struts 1.1 and has been running without
> any issues for the past several years. Due to EOL anouncement for
> struts 1.x we are planning to move to Struts 2. As per the migration
> strategies stated, we are planning to use struts2-struts1-plugin-2.
> 3.28.1.jar in our system and for any new development we are planning
> to use Struts 2 framework.
> With regard to this, we have the following queries:-1)If we are
> using this plugin would security vulnerabilities reported on struts
> 1.x, struts 2.x get mitigated since we would be using struts 2.3.28
> to handle the incoming request first and delegating to struts-1.3.10
> classes internally.
> 2)If above is not so, any recommendations on when to use this plugin.
>
> Thanks,Vivek
Hi,
for our projects we usually migrate like this:
- have struts1 and struts2 in the app
- struts1 actions are still handled by struts1, we don't use
struts2-struts1-plugin
- in each release some old actions are rewritten with struts2
- new actions are always written with struts2
- when there are no struts1 actions left -> remove the framework
I'm not sure if struts1 vulnerabilities affect struts2-struts1-plugin.
Probably it dependes on the type of vuln. So some might affect the plugin
and some might not.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus