Comment
JFreedom
on ‎05-12-2014 09:51 AM

I have been able to replicate the exploit when using a ActionForm directly, but not when using DynaActionForms. We are using DynaActionForms it appears to use form properties from the struts-config instead of the request.getParameterName during the ActionForm binding process. Is this correct?