Note that this is not a Struts problem or a Java problem. Every web framework that deserializes into non-trivial data structures gets this disastrously wrong at least once. (Remember the Rails thing back in... was it early 2013? Crikey I feel old.)
-
-
Show this thread
-
Ah yes good old CVE-2013-0156. (I will always remember it as DeserialKiller, from a joke
@steveklabnik and I shared which remains the best as-yet-unused vulnerability name.)Show this thread
End of conversation
New conversation -
-
-
Be careful, Google is auto-completing the year only here, not the full search terms :)pic.twitter.com/jZ8rI68D36
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Just to point out: a) even the popular ones from 2013 can still be found everywhere b) sorry to add to the woe but try a search for "Apache Commons Collections deserialize vuln" It is FAR WORSE than just Struts, Struts being far worse than most imagine
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Anything to do with strings has a problem atleast a few times or every year in this case.
-
Yup. But deserializing strings into full-on objects is ugly. YAML has this problem in Ruby-land, including the vulnerability Patrick mentions. JSON, by comparison, has a much less awful series of vulnerabilities because of the limited things it deserializes into.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.