‫ Apache Struts security update disables vulnerable feature

ID: IRCNE2013091967
Date: 2013-09-24
 
According to "computerworld", a new version of the Apache Struts development framework released Friday fixes two problems that had developers worried.
Apache Struts is a popular open-source framework for developing Java-based Web applications and is maintained by the Apache Software Foundation. The newly released Struts 2.3.15.2 fixes issues that the software's developers had flagged as important.
A mechanism called the Dynamic Method Invocation (DMI) that's known to be a source of possible security vulnerabilities is disabled by default in the new Struts version.
The feature was enabled in previous versions, but users were advised to switch it off if possible.
As a result of this latest change, developers who maintain applications that rely heavily on DMI might need to refactor them if they upgrade to Struts version 2.3.15.2.
The new release also addresses an issue with the "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.
"In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints," the Struts developers said in a security advisory.
Last month, researchers from security vendor Trend Micro warned that attackers from China are using an automated tool to exploit known Struts vulnerabilities to break into servers that host applications developed with the framework.

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 2 مهر 1392

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0