Full Disclosure: Re: [ANN] Struts 2.3.16.1 GA release available

Re: [ANN] Struts 2.3.16.1 GA release available - security fix

From: Lukasz Lenart <lukaszlenart () apache org>
Date: Thu, 6 Mar 2014 18:07:07 +0100

No, rather no. You gain access to ClassLoader.

2014-03-06 16:43 GMT+01:00 Tim <tim-security () sentinelchicken org>:

This release includes important security fixes:
- S2-020 - ClassLoader manipulation via request parameters


What is the ultimate impact of this manipulation?  Another RCE bug?

tim


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

[ANN] Struts 2.3.16.1 GA release available - security fix Lukasz Lenart (Mar 06)
- Re: [ANN] Struts 2.3.16.1 GA release available - security fix Tim (Mar 06)
  - Re: [ANN] Struts 2.3.16.1 GA release available - security fix Lukasz Lenart (Mar 07)
    - Re: [ANN] Struts 2.3.16.1 GA release available - security fix Tim (Mar 06)