Return-Path: Delivered-To: apmail-struts-dev-archive@www.apache.org Received: (qmail 8500 invoked from network); 5 Jul 2007 17:15:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Jul 2007 17:15:24 -0000 Received: (qmail 75095 invoked by uid 500); 5 Jul 2007 16:47:18 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 75060 invoked by uid 500); 5 Jul 2007 16:47:18 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 75043 invoked by uid 99); 5 Jul 2007 16:47:18 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jul 2007 09:47:18 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of musachy@gmail.com designates 64.233.162.228 as permitted sender) Received: from [64.233.162.228] (HELO nz-out-0506.google.com) (64.233.162.228) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jul 2007 09:47:13 -0700 Received: by nz-out-0506.google.com with SMTP id z31so1889137nzd for ; Thu, 05 Jul 2007 09:46:52 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=AMQV26FDdb2AD5FjrpboqvX/OsP0zhehR+WBMjJho/1z0/XWrQXRXj45GVmiUNdmIrzoDxsu3+DKurcUnvY9QZyNx8/hSAYGBeYGwwaEdSCxkNnzXK97upBy8mBRIouJSdIPfeUS8+sRuF5cR1DgeGo6mf+h6RhtgHMsgrt+eAs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=ROAmI4fvr7wiDA+BN8+inWMAq6r++p7033kxtVjV3AtzbP04pAGUUWDiCWF41A3CmvMwq1Hm1v5IRIegkz66PPKsSKwPVYG7ZTVLG2NlImjGahgDVg01Y7A8spCBHTRc0KqXZKiU9qTXdVKFGC22GiSH5MCOJ41U64jLBeY4Bkk= Received: by 10.141.129.14 with SMTP id g14mr2375759rvn.1183654012169; Thu, 05 Jul 2007 09:46:52 -0700 (PDT) Received: by 10.140.249.11 with HTTP; Thu, 5 Jul 2007 09:46:52 -0700 (PDT) Message-ID: Date: Thu, 5 Jul 2007 12:46:52 -0400 From: "Musachy Barroso" To: "Struts Developers List" Subject: Re: [S2] Heads Up: possible DOS problem In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_22113_21594454.1183654012131" References: <2BB8416C-6940-4FBE-8E04-BF1E8F41EABB@andreavettori.com> <0E7F46A5-8565-4B52-AF52-6840CCFB4873@andreavettori.com> X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_22113_21594454.1183654012131 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Implementing ParameterNameAware would solve the problem of someone tampering the parameter name, but not entering %{} in the value. We need to prevent both. musachy On 7/5/07, Musachy Barroso wrote: > > Another workaround is to implement ParameterNameAware, and return false > for parameters like "%{...}". I think that ParametersInterceptor needs to > check for values like that, just like it does with the names in > acceptableNames() > > musachy > > On 7/5/07, Ing. Andrea Vettori wrote: > > > > The DoS is because you can trigger an infinite loop. > > > > Please take a look at the jira issue. > > > > Looks like we need to do different things if the value is specified > > in the source code or if it's inserted in the field by the user. > > > > http://struts.apache.org/2.0.8/docs/tag-syntax.html > > > > > > > > > > Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto: > > > > > Possible DoS? Isn't this a remote exploit? Can you call arbitrary > > > methods? > > > > > > Bob > > > > > > On 7/5/07, Ing. Andrea Vettori wrote: > > >> > > >> some simple testing shows that the field value is simply evaluated... > > > > >> > > >> try to put on a struts textfield %{1+1} submit and you'll get "2" on > > >> the field... > > >> > > >> Cool but don't think it should be the default behaviour. > > >> > > >> What constructs can trigger recursion ? > > >> > > >> > > >> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto: > > >> > > >> > Antonio Petrelli gmail.com> writes: > > >> > > > >> >> > > >> >> Hi all, > > >> >> Andrea Vettori, in the Struts Users mailing list, probably > > >> discovered > > >> >> a possible Denial-Of-Service bug in Struts 2. > > >> >> The cause could be XWork. > > >> >> > > >> > > > >> > Hi, > > >> > > > >> > furthermore I'd like to know if there are other "values" that can > > >> > trigger the > > >> > problem. > > >> > Since I don't think that normal users of my site use that kind of > > >> > password, > > >> > I'm looking for whatever has triggered the problem about once a day > > > > >> > on my > > >> > e-commerce site... > > >> > > > >> > I've tried to follow the source of various classes but it's all new > > >> > to me so I'm > > >> > a bit lost. > > >> > > > >> > Thanks > > >> > > > >> > > > >> > > > >> --------------------------------------------------------------------- > > >> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org > > >> > For additional commands, e-mail: dev-help@struts.apache.org > > >> > > > >> > > >> -- > > >> Ing. Andrea Vettori > > >> Consulente per l'Information Technology > > >> > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org > > >> For additional commands, e-mail: dev-help@struts.apache.org > > >> > > >> > > > > -- > > Ing. Andrea Vettori > > Consulente per l'Information Technology > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org > > For additional commands, e-mail: dev-help@struts.apache.org > > > > > > > -- > "Hey you! Would you help me to carry the stone?" Pink Floyd -- "Hey you! Would you help me to carry the stone?" Pink Floyd ------=_Part_22113_21594454.1183654012131--