Quantcast

Struts 2.3.31 is excluding generic object.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Struts 2.3.31 is excluding generic object.

Anurag kumar
Hi,

My Action class returns generic object and It was working fine with struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding generic object.
I found <constant name="struts.excludedClasses"> constant in struts-default.xml while searching. Here java.lang.Object is excluded. My concern is if I am overriding this constant in my struts.xml file after removing java.lang.Object .Will it have a huge impact on security?


Thanks
Anurag

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Struts 2.3.31 is excluding generic object.

Yasser Zamani
Yes I think. https://www.exploit-db.com/exploits/33142/ says there will be a remote command execution vulnerability. You may try that exploit and see for any results on your server.<https://www.exploit-db.com/exploits/33142/>

Apache Struts - ClassLoader Manipulation Remote Code ...<https://www.exploit-db.com/exploits/33142/>
www.exploit-db.com
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit for Multiple platform....




________________________________
From: Anurag kumar <[hidden email]>
Sent: Tuesday, January 31, 2017 6:53 PM
To: [hidden email]
Subject: Struts 2.3.31 is excluding generic object.

Hi,

My Action class returns generic object and It was working fine with struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding generic object.
I found <constant name="struts.excludedClasses"> constant in struts-default.xml while searching. Here java.lang.Object is excluded. My concern is if I am overriding this constant in my struts.xml file after removing java.lang.Object .Will it have a huge impact on security?


Thanks
Anurag

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...