struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "M.Eng Info Sec Concordia University (JIRA)" <>
Subject [jira] [Created] (WW-4487) Struts 2.3.20 web applications - Potential vulnerabilities
Date Wed, 08 Apr 2015 18:07:12 GMT
M.Eng Info Sec Concordia University created WW-4487:

             Summary: Struts 2.3.20 web applications - Potential vulnerabilities 
                 Key: WW-4487
             Project: Struts 2
          Issue Type: Bug
          Components: Example Applications
    Affects Versions: 2.3.23
            Reporter: M.Eng Info Sec Concordia University
            Priority: Trivial

Dear Struts 2.x Development Team, 

As part of our Master's Program course(M-Eng. Information System Security) project , we choose
tried to analyse and find potential security issues in Struts 2.3.20 web applications (included
as war files in the struts installation bundle) . Below are the unique list of vulnerabilities
we found . Since software developers use these war files as a platform to build real world
applications, the identified vulnerabilities would be present in the actual applications as
well. Please analyse the vulnerabilities carefully . We hope that this exercise would help
you to fix the vulnerabilities in a future release.
No	Vulnerability Type	File Name 	Line No	Summary
1	Privacy Violation 	374	The method findUser() in
mishandles confidential information, which can compromise user privacy and is often illegal.Mishandling
private information, such as customer passwords or social security numbers, can compromise
user privacy and is often illegal. 
2	Denial of Service 	35	The call to sleep() at
line 35 allows an attacker to crash the program or otherwise make it unavailable to legitimate
users.An attacker could cause the program to crash or otherwise become unavailable to legitimate
3	Hardcoded Password 	110	Hardcoded passwords can compromise system security
in a way that cannot be easily remedied.
4	Password (Un encrypted )
in a config file 	1	Storing a plaintext password in a configuration file
may result in a system compromise.
5	Unreleased Resources	219	The function calculatePath() in
sometimes fails to release a system resource allocated by getResourceAsStream() on line 219.The
program can potentially fail to release a system resource.

Thanks and Regards

This message was sent by Atlassian JIRA

View raw message