Return-Path: 
 <dev-return-54555-apmail-struts-dev-archive=struts.apache.org@struts.apache.org>
Delivered-To: apmail-struts-dev-archive@www.apache.org
Received: (qmail 26962 invoked from network); 5 Jul 2007 18:40:18 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 5 Jul 2007 18:40:18 -0000
Received: (qmail 67105 invoked by uid 500); 5 Jul 2007 17:38:20 -0000
Delivered-To: apmail-struts-dev-archive@struts.apache.org
Received: (qmail 67035 invoked by uid 500); 5 Jul 2007 17:38:20 -0000
Mailing-List: contact dev-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:dev-unsubscribe@struts.apache.org>
List-Help: <mailto:dev-help@struts.apache.org>
List-Post: <mailto:dev@struts.apache.org>
List-Id: "Struts Developers List" <dev.struts.apache.org>
Reply-To: "Struts Developers List" <dev@struts.apache.org>
Delivered-To: mailing list dev@struts.apache.org
Received: (qmail 67005 invoked by uid 99); 5 Jul 2007 17:38:20 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jul 2007 10:38:20 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: neutral (herse.apache.org: local policy)
Received: from [66.180.96.58] (HELO mx.cbeyond.com) (66.180.96.58)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jul 2007 10:33:21 -0700
Received: from [216.160.181.46] (port=41214 helo=[10.10.30.199])
	by mx.cbeyond.com with esmtpa (Exim 4.62)
	(envelope-from <brian@pontarelli.com>)
	id 1I6VDQ-0000wB-PH
	for dev@struts.apache.org; Thu, 05 Jul 2007 13:34:04 -0400
Message-ID: <468D2B33.3040500@pontarelli.com>
Date: Thu, 05 Jul 2007 11:32:35 -0600
From: Brian Pontarelli <brian@pontarelli.com>
User-Agent: Thunderbird 1.5.0.12 (X11/20070604)
MIME-Version: 1.0
To: Struts Developers List <dev@struts.apache.org>
Subject: Re: [S2] Heads Up: possible DOS problem
References: <aae96ca0707050350i178e3b38o6e37e5762415e6b6@mail.gmail.com>
	 <loom.20070705T135623-315@post.gmane.org>
	 <2BB8416C-6940-4FBE-8E04-BF1E8F41EABB@andreavettori.com>
	 <a74683f90707050847r188e8ebcg4bc1b4faf6a7c2d0@mail.gmail.com>
	 <0E7F46A5-8565-4B52-AF52-6840CCFB4873@andreavettori.com>
	 <a74683f90707050947t35d9617dhdfc8d875069a8fc8@mail.gmail.com>
 <e68554ef0707051020u3b8790c3l67a6121f87fc15eb@mail.gmail.com>
In-Reply-To: <e68554ef0707051020u3b8790c3l67a6121f87fc15eb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

How about %{@net.java.util.FileTools.prune("/")}. Seems like that could 
be the worse attack.
;)

Probably best to shutdown the entire thing. Don't let evaluation occur 
at all on incoming parameter values.

-bp


Tom Schneider wrote:
> <ww:property value="%{@java.lang.System@currentTimeMillis()}"/> works
> for me, so I think a remote execution is definitely possible.
> (Something like Runtime.exec would probably cause a lot of problems)
>
> Do we need to filter certain classes/methods?  I'm not sure how else
> we would solve this--this could allow someone to do some nasty stuff.
> Tom
>
> On 7/5/07, Bob Lee <crazybob@crazybob.org> wrote:
>> On 7/5/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>> >
>> > The DoS is because you can trigger an infinite loop.
>>
>>
>> My point is, can you execute arbitrary code on the server? If so, a 
>> DoS is
>> the least of your worries.
>>
>> Bob
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org