Full Disclosure mailing list archives
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
From: Takeshi Terada <mbsdtest01 () gmail com>
Date: Sun, 20 Apr 2014 14:23:42 +0900
There is another bypass of the excludeParams workaround. Test.action?class['classLoader'].resources......(snip) I confirmed it works on struts 2.3.16. Plus, RCE exploits (for tomcat 8) using S2-020 were already disclosed. http://sec.baidu.com/index.php?research/detail/id/18 Therefore upgrading to the latest version is strongly recommended. Regards, -- Takeshi Terada _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: [ANN] Struts 2.3.16.1 GA release available - security fix Takeshi Terada (Apr 20)