Classloader vulnerability reproducing procedure in struts 1.1

Question:

In Struts1, I heard that there is a classloader vulnerability issue which is cause by CVE-2014-0114. But I am unable to reproduce this respect to my project. Can anyone help me how to reproduce this issue. I googled but not get any procedure of reproducing.

I am using struts-1.1, Jboss -4.2.3.GA, Apache 2.2.0, MySql 5.0.37, JKMod, JDK 1.6.0_12,Ant 1.7.0 for my web project.

Answer:

I have tried in more than 2 ways to reproducing purpose. It works fine.

1. http://127.0.0.1:8080/MyFormGroupEditSection.do?com.macao.DelphyHacker.Marathonclass.marathonId=34&groupId=862
2. http://127.0.0.1:8080/MyFormGroupEditSection.do?class.classLoader=true&groupId=862

For solution purpose of this problem, I want to add some comments. You can follow this 2 links. Hopefully, it will help you to eradicate this problem.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro

http://mail-archives.apache.org/mod_mbox/struts-announcements/201405.mbox/%3C53629980.8060805%40apache.org%3E

Original Link: Classloader vulnerability reproducing procedure in struts 1.1