Monday, November 23, 2015

Re: Java Deserialization Vulnerability

@Thomas: Thanks for this information, but I guess the correct property is rpc.enhancedClasses :-)
@Jakob: Keep in mind, that commons-collections is not the only library "under attack" ... groovy and spring shares a similar use case https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads :-( I think reading objects from outside (worst case without autentication) using ObjectInputStream is always a bad idea!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment