Security issues in Struts

[Prabhakar Natarajan <pr...@gmail.com>]

Hi all,

Does any one has list of security issues we have to take while using
struts framework.

Regards,
Prabhakar

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

RE: Security issues in Struts

[Bruno Melloni <Br...@wnco.com>]

I know of two general categories of security issues:

First, all security issues that apply to Web Applications apply to
Struts.  Fortunately, there is lots of documentation in the web, a few
books, and quite a few tools that test the security of your web
application. 

Second, *use a recent version of Struts*.  As struts security flaws are
discovered they are patched, but not long ago I discovered that security
patches are not applied to all old versions.  For example, don't even
think of using Struts 1.1 (yes, it is still being used by many
corporations that chose IBM RAD as their IDE).  And if you use Struts
1.2.x make sure you use at least version 1.2.9.  I don't know of any,
but it is quite possible that other security flaws were discovered and
fixed in newer releases since I last checked.

Bruno

-----Original Message-----
From: Prabhakar Natarajan [mailto:prabhakar.m.n@gmail.com] 
Sent: Thursday, June 14, 2007 5:02 AM
To: user@struts.apache.org
Subject: Security issues in Struts

Hi all,

Does any one has list of security issues we have to take while using
struts framework.

Regards,
Prabhakar

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org