You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by vivek verma <vi...@yahoo.com.INVALID> on 2016/05/06 07:43:49 UTC

Security vulnerabilities on using strut2-struts1-plugin-2.3.28.1

Hi,
Our project is developed on Struts 1.1 and has been running without any issues for the past several years. Due to EOL anouncement for struts 1.x we are planning to move to Struts 2. As per the migration strategies stated, we are planning to use struts2-struts1-plugin-2.3.28.1.jar in our system and for any new development we are planning to use Struts 2 framework.
With regard to this, we have the following queries:-1)If we are using this plugin would security vulnerabilities reported on struts 1.x, struts 2.x get mitigated since we would be using struts 2.3.28 to handle the incoming request first and delegating to struts-1.3.10 classes internally.
2)If above is not so, any recommendations on when to use this plugin.

Thanks,Vivek

Re: Security vulnerabilities on using strut2-struts1-plugin-2.3.28.1

Posted by Christoph Nenning <Ch...@lex-com.net>.

> Hi,
> Our project is developed on Struts 1.1 and has been running without 
> any issues for the past several years. Due to EOL anouncement for 
> struts 1.x we are planning to move to Struts 2. As per the migration
> strategies stated, we are planning to use struts2-struts1-plugin-2.
> 3.28.1.jar in our system and for any new development we are planning
> to use Struts 2 framework.
> With regard to this, we have the following queries:-1)If we are 
> using this plugin would security vulnerabilities reported on struts 
> 1.x, struts 2.x get mitigated since we would be using struts 2.3.28 
> to handle the incoming request first and delegating to struts-1.3.10
> classes internally.
> 2)If above is not so, any recommendations on when to use this plugin.
> 
> Thanks,Vivek


Hi,

for our projects we usually migrate like this:
- have struts1 and struts2 in the app
- struts1 actions are still handled by struts1, we don't use 
struts2-struts1-plugin
- in each release some old actions are rewritten with struts2
- new actions are always written with struts2
- when there are no struts1 actions left -> remove the framework


I'm not sure if struts1 vulnerabilities affect struts2-struts1-plugin. 
Probably it dependes on the type of vuln. So some might affect the plugin 
and some might not.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus