Apache Struts 22.214.171.124 launched to fix vulnerable Feature
In a recent development to Apache framework, Apache Software Foundation recently released a new version of Apache Struts development framework to overcome two major problems faced by developers.
Apache Struts commonly referred as Apache is a popular open-source framework used to build, deploy and maintain web applications both on web as well as intranet. It is a powerful web server application developing Java-based Web applications and the recently launched version of Apache Struts called Struts 126.96.36.199 has been released in order to fix some issue for which the software developer's were facing difficulty.
A mechanism in Struts 2 known as Dynamic Method Invocation (DMI), which is considered to be a source of possible security vulnerabilities has been disabled in the new version Struts 188.8.131.52 by default.
Though, this feature was enabled in earlier versions of Struts but was recommended to switch it off if possible. To do this, user had to set the struts.enable.DynamicMethodInvocation option to false in struts.xml.
With the release of the latest version, developers relying more on DMI might need to refactor them if they upgrade to the new version of Struts .i.e. Struts 184.108.40.206.
Struts 220.127.116.11 also fixes one more problems related to "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.
However, additional details about this has not been disclosed for now keeping in mind the security reasons and may be revealed later after a large number of users upgrade to the new version.
Following the critical security vulnerabilities of Struts default action mapping mechanism in the earlier versions, the latest version 18.104.22.168 of the framework ahs added additional codes to clean "action:"-prefixed information and has removed support for the "redirect:" and "redirectAction:" prefixes completely.
Moreover, one more alternative to this for the developers is to integrate their own action mapping implementation and stop using the "action:" prefix completely if they do not need need support for multiple submit buttons in their applications.
Posted on: September 30, 2013 If you enjoyed this post then why not add us on Google+? Add us to your Circles