[ww-2160 struts] Is <s:property value=%{'xyz'}>

This is regarding the security flaw in OGNL evaluation is struts.

Can someone give an example how this is exploited?

Imagine I have a request parameter an开发者_Go百科d server returns this back to the client:

http://test/xyz=test

I have a variable named xyz with getter and setter in action class, and in JSP I have:

<s:property value="%{xyz}" />

If someone uses the URL http://test/xyz=@System@exit(0) what happens?

First, the ticket you linked to was fixed in 2007. I don't know what exactly the problem was back then, but it doesn't appear to be relevant anymore.

If someone uses the URL http://test/xyz=@System@exit(0) what happens?

Your JSP page would output the string literal @System@exit(0).

OGNL expressions are processed inside the Struts2 tags. In this case, the string literal %{xyz} is passed to the setValue(String) method of PropertyTag. Inside that tag, that string is evaluated against the value stack to produce the resulting value of @System@exit(0). That value is then output.