struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Musachy Barroso" <musa...@gmail.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 16:45:00 GMT
Another workaround is to implement ParameterNameAware, and return false for
parameters like "%{...}". I think that ParametersInterceptor needs to check
for values like that, just like it does with the names in acceptableNames()

musachy

On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>
> The DoS is because you can trigger an infinite loop.
>
> Please take a look at the jira issue.
>
> Looks like we need to do different things if the value is specified
> in the source code or if it's inserted in the field by the user.
>
> http://struts.apache.org/2.0.8/docs/tag-syntax.html
>
>
>
>
> Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto:
>
> > Possible DoS? Isn't this a remote exploit? Can you call arbitrary
> > methods?
> >
> > Bob
> >
> > On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
> >>
> >> some simple testing shows that the field value is simply evaluated...
> >>
> >> try to put on a struts textfield %{1+1} submit and you'll get "2" on
> >> the field...
> >>
> >> Cool but don't think it should be the default behaviour.
> >>
> >> What constructs can trigger recursion ?
> >>
> >>
> >> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto:
> >>
> >> > Antonio Petrelli <antonio.petrelli <at> gmail.com> writes:
> >> >
> >> >>
> >> >> Hi all,
> >> >> Andrea Vettori, in the Struts Users mailing list, probably
> >> discovered
> >> >> a possible Denial-Of-Service bug in Struts 2.
> >> >> The cause could be XWork.
> >> >>
> >> >
> >> > Hi,
> >> >
> >> > furthermore I'd like to know if there are other "values" that can
> >> > trigger the
> >> > problem.
> >> > Since I don't think that normal users of my site use that kind of
> >> > password,
> >> > I'm looking for whatever has triggered the problem about once a day
> >> > on my
> >> > e-commerce site...
> >> >
> >> > I've tried to follow the source of various classes but it's all new
> >> > to me so I'm
> >> > a bit lost.
> >> >
> >> > Thanks
> >> >
> >> >
> >> >
> >> ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> > For additional commands, e-mail: dev-help@struts.apache.org
> >> >
> >>
> >> --
> >> Ing. Andrea Vettori
> >> Consulente per l'Information Technology
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
>
> --
> Ing. Andrea Vettori
> Consulente per l'Information Technology
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>


-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message