struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 16:52:03 GMT
Hope it can be fixed ASAP since I think that most of us users don't  
use the value parameter on most of their forms.

Do you think that it can be possibile to "trigger" the infinite loop  
using something else than %{something} ???
As you may know I'm faced with the problem of garbage but don't think  
my users write OGNL code in my fields :)


Il giorno 05/lug/07, alle ore 18:46, Musachy Barroso ha scritto:

> Implementing ParameterNameAware would solve the problem of someone  
> tampering
> the parameter name, but not entering %{} in the value. We need to  
> prevent
> both.
>
> musachy
>
> On 7/5/07, Musachy Barroso <musachy@gmail.com> wrote:
>>
>> Another workaround is to implement ParameterNameAware, and return  
>> false
>> for parameters like "%{...}". I think that ParametersInterceptor  
>> needs to
>> check for values like that, just like it does with the names in
>> acceptableNames()
>>
>> musachy
>>
>> On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>> >
>> > The DoS is because you can trigger an infinite loop.
>> >
>> > Please take a look at the jira issue.
>> >
>> > Looks like we need to do different things if the value is specified
>> > in the source code or if it's inserted in the field by the user.
>> >
>> > http://struts.apache.org/2.0.8/docs/tag-syntax.html
>> >
>> >
>> >
>> >
>> > Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto:
>> >
>> > > Possible DoS? Isn't this a remote exploit? Can you call arbitrary
>> > > methods?
>> > >
>> > > Bob
>> > >
>> > > On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>> > >>
>> > >> some simple testing shows that the field value is simply  
>> evaluated...
>> >
>> > >>
>> > >> try to put on a struts textfield %{1+1} submit and you'll get  
>> "2" on
>> > >> the field...
>> > >>
>> > >> Cool but don't think it should be the default behaviour.
>> > >>
>> > >> What constructs can trigger recursion ?
>> > >>
>> > >>
>> > >> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto:
>> > >>
>> > >> > Antonio Petrelli <antonio.petrelli <at> gmail.com>
writes:
>> > >> >
>> > >> >>
>> > >> >> Hi all,
>> > >> >> Andrea Vettori, in the Struts Users mailing list, probably
>> > >> discovered
>> > >> >> a possible Denial-Of-Service bug in Struts 2.
>> > >> >> The cause could be XWork.
>> > >> >>
>> > >> >
>> > >> > Hi,
>> > >> >
>> > >> > furthermore I'd like to know if there are other "values"  
>> that can
>> > >> > trigger the
>> > >> > problem.
>> > >> > Since I don't think that normal users of my site use that  
>> kind of
>> > >> > password,
>> > >> > I'm looking for whatever has triggered the problem about  
>> once a day
>> >
>> > >> > on my
>> > >> > e-commerce site...
>> > >> >
>> > >> > I've tried to follow the source of various classes but it's  
>> all new
>> > >> > to me so I'm
>> > >> > a bit lost.
>> > >> >
>> > >> > Thanks
>> > >> >
>> > >> >
>> > >> >
>> > >>  
>> ---------------------------------------------------------------------
>> > >> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> > >> > For additional commands, e-mail: dev-help@struts.apache.org
>> > >> >
>> > >>
>> > >> --
>> > >> Ing. Andrea Vettori
>> > >> Consulente per l'Information Technology
>> > >>
>> > >>
>> > >>
>> > >>  
>> ---------------------------------------------------------------------
>> > >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> > >> For additional commands, e-mail: dev-help@struts.apache.org
>> > >>
>> > >>
>> >
>> > --
>> > Ing. Andrea Vettori
>> > Consulente per l'Information Technology
>> >
>> >
>> >
>> >  
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: dev-help@struts.apache.org
>> >
>> >
>>
>>
>> --
>> "Hey you! Would you help me to carry the stone?" Pink Floyd
>
>
>
>
> -- 
> "Hey you! Would you help me to carry the stone?" Pink Floyd

--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message