struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Musachy Barroso" <musa...@gmail.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 16:46:52 GMT
Implementing ParameterNameAware would solve the problem of someone tampering
the parameter name, but not entering %{} in the value. We need to prevent
both.

musachy

On 7/5/07, Musachy Barroso <musachy@gmail.com> wrote:
>
> Another workaround is to implement ParameterNameAware, and return false
> for parameters like "%{...}". I think that ParametersInterceptor needs to
> check for values like that, just like it does with the names in
> acceptableNames()
>
> musachy
>
> On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
> >
> > The DoS is because you can trigger an infinite loop.
> >
> > Please take a look at the jira issue.
> >
> > Looks like we need to do different things if the value is specified
> > in the source code or if it's inserted in the field by the user.
> >
> > http://struts.apache.org/2.0.8/docs/tag-syntax.html
> >
> >
> >
> >
> > Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto:
> >
> > > Possible DoS? Isn't this a remote exploit? Can you call arbitrary
> > > methods?
> > >
> > > Bob
> > >
> > > On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
> > >>
> > >> some simple testing shows that the field value is simply evaluated...
> >
> > >>
> > >> try to put on a struts textfield %{1+1} submit and you'll get "2" on
> > >> the field...
> > >>
> > >> Cool but don't think it should be the default behaviour.
> > >>
> > >> What constructs can trigger recursion ?
> > >>
> > >>
> > >> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto:
> > >>
> > >> > Antonio Petrelli <antonio.petrelli <at> gmail.com> writes:
> > >> >
> > >> >>
> > >> >> Hi all,
> > >> >> Andrea Vettori, in the Struts Users mailing list, probably
> > >> discovered
> > >> >> a possible Denial-Of-Service bug in Struts 2.
> > >> >> The cause could be XWork.
> > >> >>
> > >> >
> > >> > Hi,
> > >> >
> > >> > furthermore I'd like to know if there are other "values" that can
> > >> > trigger the
> > >> > problem.
> > >> > Since I don't think that normal users of my site use that kind of
> > >> > password,
> > >> > I'm looking for whatever has triggered the problem about once a day
> >
> > >> > on my
> > >> > e-commerce site...
> > >> >
> > >> > I've tried to follow the source of various classes but it's all new
> > >> > to me so I'm
> > >> > a bit lost.
> > >> >
> > >> > Thanks
> > >> >
> > >> >
> > >> >
> > >> ---------------------------------------------------------------------
> > >> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > >> > For additional commands, e-mail: dev-help@struts.apache.org
> > >> >
> > >>
> > >> --
> > >> Ing. Andrea Vettori
> > >> Consulente per l'Information Technology
> > >>
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > >> For additional commands, e-mail: dev-help@struts.apache.org
> > >>
> > >>
> >
> > --
> > Ing. Andrea Vettori
> > Consulente per l'Information Technology
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
>
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd




-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message