(RHSA-2006:0281) struts security update for Red Hat Application Server

Struts is a framework for building web applications with Java.

A validation bug was found in the way Struts handles
org.apache.struts.taglib.html.Constants.CANCEL requests. If it is possible
for a remote attacker to inject a CANCEL request during a validation
operation, it may be possible for the attacker to acquire credentials
without the proper authentication information. (CVE-2006-1546)

A denial of service bug was found in the way Struts handles
multipart/form-data encoded form data. If it is possible for a remote
attacker to reference the public getMultipartRequestHandler method, the
attacker can prevent the Struts application from functioning properly.
(CVE-2006-1547)

A cross site scripting bug was found in the way Struts displays certain
error messages via its LookupDispatchAction, DispatchAction, and
ActionDispatcher handler. It may be possible for an attacker to construct a
specially crafted URL that could fool a victim into believing they are
viewing a trusted site. (CVE-2006-1548)

All users of Struts should upgrade to this updated package containing
Struts version 1.2.9, which is not vulnerable to these issues.