struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 16:02:30 GMT
The DoS is because you can trigger an infinite loop.

Please take a look at the jira issue.

Looks like we need to do different things if the value is specified  
in the source code or if it's inserted in the field by the user.

http://struts.apache.org/2.0.8/docs/tag-syntax.html




Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto:

> Possible DoS? Isn't this a remote exploit? Can you call arbitrary  
> methods?
>
> Bob
>
> On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>>
>> some simple testing shows that the field value is simply evaluated...
>>
>> try to put on a struts textfield %{1+1} submit and you'll get "2" on
>> the field...
>>
>> Cool but don't think it should be the default behaviour.
>>
>> What constructs can trigger recursion ?
>>
>>
>> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto:
>>
>> > Antonio Petrelli <antonio.petrelli <at> gmail.com> writes:
>> >
>> >>
>> >> Hi all,
>> >> Andrea Vettori, in the Struts Users mailing list, probably  
>> discovered
>> >> a possible Denial-Of-Service bug in Struts 2.
>> >> The cause could be XWork.
>> >>
>> >
>> > Hi,
>> >
>> > furthermore I'd like to know if there are other "values" that can
>> > trigger the
>> > problem.
>> > Since I don't think that normal users of my site use that kind of
>> > password,
>> > I'm looking for whatever has triggered the problem about once a day
>> > on my
>> > e-commerce site...
>> >
>> > I've tried to follow the source of various classes but it's all new
>> > to me so I'm
>> > a bit lost.
>> >
>> > Thanks
>> >
>> >
>> >  
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: dev-help@struts.apache.org
>> >
>>
>> --
>> Ing. Andrea Vettori
>> Consulente per l'Information Technology
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>

--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message