You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by David Gawron <dg...@us.ibm.com> on 2015/10/06 21:04:15 UTC

CVE-2015-5209

Hello,

I know that Struts1 and 2 are completely different code bases, but I was 
wondering if the technique used by the exploit described in the CVE and 
https://struts.apache.org/docs/s2-026.html could possibly apply to a 
Struts 1 deployment?  There is no references to a ValueStack in the Struts 
1 code, but is there an equivalent feature that could be vulnerable?

-Dave-

----------------------------------------------------------------------
Dave Gawron
Architect, WebSphere Portlet Factory
978-899-2171 T/L 276-2171
dgawron@us.ibm.com

"Perfection is achieved, not when there is nothing more to add, but when 
there is nothing left to take away."
-- Antoine de Saint-Exupéry

Re: CVE-2015-5209

Posted by Dave Newton <da...@gmail.com>.

Same as s2-025 from your ealier question.

On Tue, Oct 6, 2015 at 3:05 PM, Dave Newton <da...@gmail.com> wrote:

> Expressions aren't evaluated in S1; there is nothing like it I'm aware of.
>
> Dave
>
>
> On Tue, Oct 6, 2015 at 3:04 PM, David Gawron <dg...@us.ibm.com> wrote:
>
>> Hello,
>>
>> I know that Struts1 and 2 are completely different code bases, but I was
>> wondering if the technique used by the exploit described in the CVE and
>> https://struts.apache.org/docs/s2-026.html could possibly apply to a
>> Struts 1 deployment?  There is no references to a ValueStack in the Struts
>> 1 code, but is there an equivalent feature that could be vulnerable?
>>
>> -Dave-
>>
>> ----------------------------------------------------------------------
>> Dave Gawron
>> Architect, WebSphere Portlet Factory
>> 978-899-2171 T/L 276-2171
>> dgawron@us.ibm.com
>>
>> "Perfection is achieved, not when there is nothing more to add, but when
>> there is nothing left to take away."
>> -- Antoine de Saint-Exupéry
>>
>>
>
>
> --
> e: davelnewton@gmail.com
> m: 908-380-8699
> s: davelnewton_skype
> t: @dave_newton <https://twitter.com/dave_newton>
> b: Bucky Bits <http://buckybits.blogspot.com/>
> g: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
>
>


-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Re: CVE-2015-5209

Posted by Dave Newton <da...@gmail.com>.

Expressions aren't evaluated in S1; there is nothing like it I'm aware of.

Dave


On Tue, Oct 6, 2015 at 3:04 PM, David Gawron <dg...@us.ibm.com> wrote:

> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment?  There is no references to a ValueStack in the Struts
> 1 code, but is there an equivalent feature that could be vulnerable?
>
> -Dave-
>
> ----------------------------------------------------------------------
> Dave Gawron
> Architect, WebSphere Portlet Factory
> 978-899-2171 T/L 276-2171
> dgawron@us.ibm.com
>
> "Perfection is achieved, not when there is nothing more to add, but when
> there is nothing left to take away."
> -- Antoine de Saint-Exupéry
>
>


-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Re: CVE-2015-5209

Posted by "Sreekanth S. Nair" <sr...@egovernments.org>.

Struts1 is completely safe to use since no OGNL involved, unfortunately
people started misusing struts2 the way its easy to use, and its in a way
to fix all the security holes found till now.

-- 
Thanks & Regards

Sreekanth S Nair
Java Developer
-------------------------------------------
eGovernments Foundation <http://www.egovernments.org>
Ph : 9980078913
-------------------------------------------
<http://in.linkedin.com/pub/sreekanth-s-nair/b/946/5a0/>
<https://github.com/sreekanthsnair>   <sr...@hotmail.co.uk>
<sr...@gmail.com>
-------------------------------------------

On Wed, Oct 7, 2015 at 12:36 AM, Lukasz Lenart <lu...@apache.org>
wrote:

> 2015-10-06 21:04 GMT+02:00 David Gawron <dg...@us.ibm.com>:
> > Hello,
> >
> > I know that Struts1 and 2 are completely different code bases, but I was
> > wondering if the technique used by the exploit described in the CVE and
> > https://struts.apache.org/docs/s2-026.html could possibly apply to a
> > Struts 1 deployment?  There is no references to a ValueStack in the
> Struts
> > 1 code, but is there an equivalent feature that could be vulnerable?
>
> Nope, as far I know :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: CVE-2015-5209

Posted by Lukasz Lenart <lu...@apache.org>.

2015-10-06 21:04 GMT+02:00 David Gawron <dg...@us.ibm.com>:
> Hello,
>
> I know that Struts1 and 2 are completely different code bases, but I was
> wondering if the technique used by the exploit described in the CVE and
> https://struts.apache.org/docs/s2-026.html could possibly apply to a
> Struts 1 deployment?  There is no references to a ValueStack in the Struts
> 1 code, but is there an equivalent feature that could be vulnerable?

Nope, as far I know :)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org