struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Schneider" <schne...@gmail.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 17:20:39 GMT
<ww:property value="%{@java.lang.System@currentTimeMillis()}"/> works
for me, so I think a remote execution is definitely possible.
(Something like Runtime.exec would probably cause a lot of problems)

Do we need to filter certain classes/methods?  I'm not sure how else
we would solve this--this could allow someone to do some nasty stuff.
Tom

On 7/5/07, Bob Lee <crazybob@crazybob.org> wrote:
> On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
> >
> > The DoS is because you can trigger an infinite loop.
>
>
> My point is, can you execute arbitrary code on the server? If so, a DoS is
> the least of your worries.
>
> Bob
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message