You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Brent Barker <br...@gmail.com> on 2016/02/22 19:10:39 UTC

CVE-2015-5209

Hi,

We are upgrading struts to patch a potential security hole (S2-026
<https://cwiki.apache.org/confluence/display/WW/S2-026>) I want to ensure
the vulnerability no longer exists in our application after upgrading to
v2.3.24.1. Would someone mind pointing me in the right direction to test
the vulnerability?

Thanks in advance!

RE: CVE-2015-5209

Posted by Martin Gainty <mg...@hotmail.com>.

Hi Brent
apply following regex to exclude vulnerable parameters from Request
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*","^(action|method):.*"
https://struts.apache.org/docs/s2-026.html
or upgrade to Struts 2.3.24.1

Good Question!
Martin 
______________________________________________ 
                            


> Date: Mon, 22 Feb 2016 11:10:39 -0700
> Subject: CVE-2015-5209
> From: brentbarker9@gmail.com
> To: user@struts.apache.org
> 
> Hi,
> 
> We are upgrading struts to patch a potential security hole (S2-026
> <https://cwiki.apache.org/confluence/display/WW/S2-026>) I want to ensure
> the vulnerability no longer exists in our application after upgrading to
> v2.3.24.1. Would someone mind pointing me in the right direction to test
> the vulnerability?
> 
> Thanks in advance!