struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Sat, 07 Jul 2007 06:48:10 GMT
I understand...

I'll try to use your patch, hoping I never have legal parameter in  
the form of %{something}.


Il giorno 07/lug/07, alle ore 01:11, Musachy Barroso ha scritto:

> That could prevent the infinite recursion, but not the remote  
> exploit, I
> would still be able to pass this in:
>
> /something.action?name=@System@exit()
>
> as a side note, this problem is not only tied to the tags and tag  
> attributes
> as mentioned before, sometimes I have something like this in my action
> mappings:
>
> ...
> <result>someUrl.action&id=${id}</result>
> ...
>
> where "id" is usually a parameter, which could also be exploited.
>
> musachy
>
> On 7/6/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>>
>> Please take a look at the jira issue.
>>
>> I've uploaded a possibile nice solution.
>>
>> I desperately :) need to know if there are some possibile problem to
>> use this on my site until a better solution is found.
>>
>> --
>> Ing. Andrea Vettori
>> Consulente per l'Information Technology
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
>
> -- 
> "Hey you! Would you help me to carry the stone?" Pink Floyd

--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message