WebWork 2.2.6 released (Security Fix)

If you are a Webwork/XWork user, you may have heard of the critical security issue found in XWork. Well, no fear the WebWork team has a backwards compatible with WebWork 2.2.5 release. Pick it up.

This entry was posted in Security. Bookmark the permalink.

2 Responses to WebWork 2.2.6 released (Security Fix)

  1. xrellix says:

    Evaluating user input as an OGNL expression !!!
    Craziest thing i ever heard/seen (ok maybe not, just like a mini-mall video ranks about the same).

    Why is it an XWork problem? Wouldn’t it be WW2 that parses the HTML form and requests XWork to evaluate?

  2. Jay says:

    You might be right.

    I don’t know if it’s necessarily the responsibility of the MVC to decide what is safe or unsafe. I guess the same goes for SQL injection: should the MVC parse out safe or unsafe SQL calls in the URL?

Leave a Reply to xrellix Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.