You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by rgm <st...@rgm.nu> on 2013/09/18 17:09:43 UTC
Are S2-018 and S2-019 serious / remotely exploitable?
Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1?
Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's
available?
As a reminder, these issues were fixed in 2.3.15.1, and one was marked
highly critical:
- CVE 2013-2251 -
S2-016<http://struts.apache.org/release/2.3.x/docs/s2-016.html> -
In Struts 2 before 2.3.15.1 the information following "action:",
"redirect:" or "redirectAction:" is not properly sanitized.
- CVE 2013-2248 -
S2-017<http://struts.apache.org/release/2.3.x/docs/s2-017.html> -
In Struts 2 before 2.3.15.1 the information following "redirect:" or
"redirectAction:" can easily be manipulated to redirect to an arbitrary
location.
Unsure about appropriate panic level,
-rgm
Re: validator type="regex" : param name is regex , not expression
Posted by Chris <ch...@yahoo.fr>.
Thanks for the informations
________________________________
De : Lukasz Lenart <lu...@apache.org>
À : Struts Users Mailing List <us...@struts.apache.org>
Envoyé le : Jeudi 19 septembre 2013 7h59
Objet : Re: validator type="regex" : param name is regex , not expression
Sometime ago ... with 2.3.12. I have renamed expression to regex as
right now you can define regexExpression as Ognl expression - there
was name clash without renaming ;-)
http://struts.apache.org/development/2.x/docs/version-notes-23120.html
2013/9/18 Chris <ch...@yahoo.fr>:
> Hello ,
>
> Do you have any idea since when ( which version ) the word expression is no
> more avaliable ?
> In some examples on the Web or in Books, the word used is still
> "expression".
>
> Regards
>
> Chris
>
> -----------------------------------------------------------------------------------------------------------
>
>
> Done, thanks for reporting!
>
> https://cwiki.apache.org/confluence/display/WW/Form+Validation+Using+XML
>
> 2013/9/16 Chris
>
>> Hi Lukasz,
>>
>> Good example of regex in
>> http://struts.apache.org/development/2.x/docs/form-validation-using-xml.html
> ,
>> and choose between JavaScript validator or Java validator will be another
>> story .;-)
>>
>>
>> but the file EditAction-validation.xml seems contain a wrong value.
>> .
>>
>> I found it in testing PhoneNumber with many wrong values and it always
>> worked !
>> I thought maybe a jar is missing ?
>>
>> But it was the param name in the file EditAction-validation.xml
>> -> <param name="expression"> should be <param name="regex">
>>
>> before
>> <validator type="regex">
>> <param name="fieldname">personBean.phoneNumber</param>
>> <param name="expression"><![CDATA[\d{3}-\d{3}-\d{4}]]></param>
>> <message>Phone number must be entered as 999-999-9999.</message>
>> </validator>
>>
>> after
>> <validator type="regex">
>> <param name="fieldname">personBean.phoneNumber</param>
>> <param name="regex"><![CDATA[\d{3}-\d{3}-\d{4}]]></param>
>> <message>Phone number must be entered as 999-999-9999.</message>
>> </validator>
>>
>>
>>
>>
>> Regards,
>>
>> Chris ( christalkto )
>>
>>
>> __________________
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: validator type="regex" : param name is regex , not expression
Posted by Lukasz Lenart <lu...@apache.org>.
Sometime ago ... with 2.3.12. I have renamed expression to regex as
right now you can define regexExpression as Ognl expression - there
was name clash without renaming ;-)
http://struts.apache.org/development/2.x/docs/version-notes-23120.html
2013/9/18 Chris <ch...@yahoo.fr>:
> Hello ,
>
> Do you have any idea since when ( which version ) the word expression is no
> more avaliable ?
> In some examples on the Web or in Books, the word used is still
> "expression".
>
> Regards
>
> Chris
>
> -----------------------------------------------------------------------------------------------------------
>
>
> Done, thanks for reporting!
>
> https://cwiki.apache.org/confluence/display/WW/Form+Validation+Using+XML
>
> 2013/9/16 Chris
>
>> Hi Lukasz,
>>
>> Good example of regex in
>> http://struts.apache.org/development/2.x/docs/form-validation-using-xml.html
> ,
>> and choose between JavaScript validator or Java validator will be another
>> story .;-)
>>
>>
>> but the file EditAction-validation.xml seems contain a wrong value.
>> .
>>
>> I found it in testing PhoneNumber with many wrong values and it always
>> worked !
>> I thought maybe a jar is missing ?
>>
>> But it was the param name in the file EditAction-validation.xml
>> -> <param name="expression"> should be <param name="regex">
>>
>> before
>> <validator type="regex">
>> <param name="fieldname">personBean.phoneNumber</param>
>> <param name="expression"><![CDATA[\d{3}-\d{3}-\d{4}]]></param>
>> <message>Phone number must be entered as 999-999-9999.</message>
>> </validator>
>>
>> after
>> <validator type="regex">
>> <param name="fieldname">personBean.phoneNumber</param>
>> <param name="regex"><![CDATA[\d{3}-\d{3}-\d{4}]]></param>
>> <message>Phone number must be entered as 999-999-9999.</message>
>> </validator>
>>
>>
>>
>>
>> Regards,
>>
>> Chris ( christalkto )
>>
>>
>> __________________
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: validator type="regex" : param name is regex , not expression
Posted by Chris <ch...@yahoo.fr>.
Hello ,
Do you have any idea since when ( which version ) the word expression is no more avaliable ?
In some examples on the Web or in Books, the word used is still "expression".
Regards
Chris
-----------------------------------------------------------------------------------------------------------
Done, thanks for reporting!
https://cwiki.apache.org/confluence/display/WW/Form+Validation+Using+XML
2013/9/16 Chris
> Hi Lukasz,
>
> Good example of regex in http://struts.apache.org/development/2.x/docs/form-validation-using-xml.html
,
> and choose between JavaScript validator or Java validator will be another story .;-)
>
>
> but the file EditAction-validation.xml seems contain a wrong value.
> .
>
> I found it in testing PhoneNumber with many wrong values and it always worked !
> I thought maybe a jar is missing ?
>
> But it was the param name in the file EditAction-validation.xml
> -> <param name="expression"> should be <param name="regex">
>
> before
> <validator type="regex">
> <param name="fieldname">personBean.phoneNumber</param>
> <param name="expression"><![CDATA[\d{3}-\d{3}-\d{4}]]></param>
> <message>Phone number must be entered as 999-999-9999.</message>
> </validator>
>
> after
> <validator type="regex">
> <param name="fieldname">personBean.phoneNumber</param>
> <param name="regex"><![CDATA[\d{3}-\d{3}-\d{4}]]></param>
> <message>Phone number must be entered as 999-999-9999.</message>
> </validator>
>
>
>
>
> Regards,
>
> Chris ( christalkto )
>
>
> __________________
Re: Are S2-018 and S2-019 serious / remotely exploitable?
Posted by Dave Newton <da...@gmail.com>.
On Wed, Sep 18, 2013 at 11:09 AM, rgm <st...@rgm.nu> wrote:
> http://struts.apache.org/release/2.3.x/docs/s2-017.html
"Fixing" 19 is as simple as disabling dynamic method invocation.
I'm unclear on what 18 is; it looks like an extension of 16/17, and as
such, I'd do the upgrade--not that it's a major undertaking.
Dave
Re: Are S2-018 and S2-019 serious / remotely exploitable?
Posted by Lukasz Lenart <lu...@apache.org>.
2013/9/18 rgm <st...@rgm.nu>:
> Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1?
> Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's
> available?
S2-018 can be critical, it depends on how your application is
structured - but it isn't a Remote Code Execution flaw. I cannot share
more details as thus can be used by hackers to attack vulnerable
sites.
S2-019 - if you don't use DMI, it will not affect you.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org