struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WW-4487) Struts 2.3.20 web applications - Potential vulnerabilities
Date Wed, 08 Apr 2015 18:30:12 GMT

     [ https://issues.apache.org/jira/browse/WW-4487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lukasz Lenart updated WW-4487:
------------------------------
    Affects Version/s:     (was: 2.3.23)
                       2.3.20

> Struts 2.3.20 web applications - Potential vulnerabilities 
> -----------------------------------------------------------
>
>                 Key: WW-4487
>                 URL: https://issues.apache.org/jira/browse/WW-4487
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Example Applications
>    Affects Versions: 2.3.20
>            Reporter: M.Eng Info Sec Concordia University
>            Priority: Trivial
>              Labels: Concordia, Info, M.Eng, Sec, University
>
> Dear Struts 2.x Development Team, 
> As part of our Master's Program course(M-Eng. Information System Security) project ,
we choose tried to analyse and find potential security issues in Struts 2.3.20 web applications
(included as war files in the struts installation bundle) . Below are the unique list of vulnerabilities
we found . Since software developers use these war files as a platform to build real world
applications, the identified vulnerabilities would be present in the actual applications as
well. Please analyse the vulnerabilities carefully . We hope that this exercise would help
you to fix the vulnerabilities in a future release.
> Sl 
> No	Vulnerability Type	File Name 	Line No	Summary
> 1	Privacy Violation	MailreaderSupport.java 	374	The method findUser() in MailreaderSupport.java
mishandles confidential information, which can compromise user privacy and is often illegal.Mishandling
private information, such as customer passwords or social security numbers, can compromise
user privacy and is often illegal. 
> 2	Denial of Service	LongProcessAction.java 	35	The call to sleep() at LongProcessAction.java
line 35 allows an attacker to crash the program or otherwise make it unavailable to legitimate
users.An attacker could cause the program to crash or otherwise become unavailable to legitimate
users.
> 3	Hardcoded Password	Constants.java 	110	Hardcoded passwords can compromise system security
in a way that cannot be easily remedied.
> 4	Password (Un encrypted )
> in a config file	alternate.properties 	1	Storing a plaintext password in a configuration
file may result in a system compromise.
> 5	Unreleased Resources	ApplicationListener.java	219	The function calculatePath() in ApplicationListener.java
sometimes fails to release a system resource allocated by getResourceAsStream() on line 219.The
program can potentially fail to release a system resource.
> Thanks and Regards



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message