struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Pontarelli <br...@pontarelli.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 17:32:35 GMT
How about %{@net.java.util.FileTools.prune("/")}. Seems like that could 
be the worse attack.
;)

Probably best to shutdown the entire thing. Don't let evaluation occur 
at all on incoming parameter values.

-bp


Tom Schneider wrote:
> <ww:property value="%{@java.lang.System@currentTimeMillis()}"/> works
> for me, so I think a remote execution is definitely possible.
> (Something like Runtime.exec would probably cause a lot of problems)
>
> Do we need to filter certain classes/methods?  I'm not sure how else
> we would solve this--this could allow someone to do some nasty stuff.
> Tom
>
> On 7/5/07, Bob Lee <crazybob@crazybob.org> wrote:
>> On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>> >
>> > The DoS is because you can trigger an infinite loop.
>>
>>
>> My point is, can you execute arbitrary code on the server? If so, a 
>> DoS is
>> the least of your worries.
>>
>> Bob
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message