You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Sarr, Nathan" <ns...@library.rochester.edu> on 2011/05/11 16:47:16 UTC
XSS Vulnerability in Struts 2 before 2.2.3
Hello,
I noticed the solution mentions turning off DMI support in
struts.xml. Would the same result be achieved by setting it in the
struts.properties file:
# don't allow dynamic method invocation
struts.enable.DynamicMethodInvocation = false
Thanks,
-Nate
Re: XSS Vulnerability in Struts 2 before 2.2.3
Posted by Maurizio Cucchiara <ma...@gmail.com>.
It's so good to hear it. :)
On 11 May 2011 18:42, Sarr, Nathan <ns...@library.rochester.edu> wrote:
> I did a quick test and it appeared to work correctly.
>
> -Nate
>
> -----Original Message-----
> From: Maurizio Cucchiara [mailto:maurizio.cucchiara@gmail.com]
> Sent: Wednesday, May 11, 2011 12:37 PM
> To: Struts Users Mailing List
> Subject: Re: XSS Vulnerability in Struts 2 before 2.2.3
>
> I did not checked before, but I bet it works (Please Let us know if it doesn't).
>
>
> On 11 May 2011 16:47, Sarr, Nathan <ns...@library.rochester.edu> wrote:
>> Hello,
>>
>>
>>
>> I noticed the solution mentions turning off DMI support in
>> struts.xml. Would the same result be achieved by setting it in the
>> struts.properties file:
>>
>>
>>
>> # don't allow dynamic method invocation
>>
>> struts.enable.DynamicMethodInvocation = false
>>
>>
>>
>> Thanks,
>>
>> -Nate
>>
>>
>>
>>
>
>
>
> --
> Maurizio Cucchiara
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Maurizio Cucchiara
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: XSS Vulnerability in Struts 2 before 2.2.3
Posted by "Sarr, Nathan" <ns...@library.rochester.edu>.
I did a quick test and it appeared to work correctly.
-Nate
-----Original Message-----
From: Maurizio Cucchiara [mailto:maurizio.cucchiara@gmail.com]
Sent: Wednesday, May 11, 2011 12:37 PM
To: Struts Users Mailing List
Subject: Re: XSS Vulnerability in Struts 2 before 2.2.3
I did not checked before, but I bet it works (Please Let us know if it doesn't).
On 11 May 2011 16:47, Sarr, Nathan <ns...@library.rochester.edu> wrote:
> Hello,
>
>
>
> I noticed the solution mentions turning off DMI support in
> struts.xml. Would the same result be achieved by setting it in the
> struts.properties file:
>
>
>
> # don't allow dynamic method invocation
>
> struts.enable.DynamicMethodInvocation = false
>
>
>
> Thanks,
>
> -Nate
>
>
>
>
--
Maurizio Cucchiara
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: XSS Vulnerability in Struts 2 before 2.2.3
Posted by Maurizio Cucchiara <ma...@gmail.com>.
I did not checked before, but I bet it works (Please Let us know if it doesn't).
On 11 May 2011 16:47, Sarr, Nathan <ns...@library.rochester.edu> wrote:
> Hello,
>
>
>
> I noticed the solution mentions turning off DMI support in
> struts.xml. Would the same result be achieved by setting it in the
> struts.properties file:
>
>
>
> # don't allow dynamic method invocation
>
> struts.enable.DynamicMethodInvocation = false
>
>
>
> Thanks,
>
> -Nate
>
>
>
>
--
Maurizio Cucchiara
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org