struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4487) Struts 2.3.20 web applications - Potential vulnerabilities
Date Thu, 09 Apr 2015 21:53:12 GMT

    [ https://issues.apache.org/jira/browse/WW-4487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14488351#comment-14488351
] 

Rene Gielen commented on WW-4487:
---------------------------------

This issue is apparently a followup to the mail the Struts Security Team received 2015-03-18,
to which the I as a member of the Struts Security Team responded the same day. Our response
included analysis of each of the individual point you are making, coming to the basic conclusion
that these are no issues that qualify to be rated as security risks. However, if you feel
you have additional points to make or want to argue about our analysis, you would have found
us happily answering to your concerns within the private mail communication that is standard
for not only reporting, but also discussing possible security issues.

Maybe there has some miscommunication either by not receiving my reply on your side or by
me being not explicit enough in my mail. Let's address this.

{quote}
1	Privacy Violation	MailreaderSupport.java 374	The method findUser() in MailreaderSupport.java
mishandles confidential information, which can compromise user privacy and is often illegal.Mishandling
private information, such as customer passwords or social security numbers, can compromise
user privacy and is often illegal. 
{quote}

The code in doubt:
{code:java}
    throw new ExpiredPasswordException(Constants.EXPIRED_PASSWORD_EXCEPTION);
{code}
What kind of misshandling have you identified there? I fail to see anything compromising here.
The method itself is a dummy implementation of a basic user password handling and works under
the constraints of a dummy implementation. That being said, what is your criticism, in particular
regarding this concrete code line? This line contains no password information whatsoever.

{quote}
2	Denial of Service	LongProcessAction.java 	35	The call to sleep() at LongProcessAction.java
line 35 allows an attacker to crash the program or otherwise make it unavailable to legitimate
users.An attacker could cause the program to crash or otherwise become unavailable to legitimate
users.
{quote}

The line in doubt:
{code:java}
    Thread.sleep(time);
{code}
Maybe you have missed the class level documentation of this file:
{code:java}
/**
 * Example to illustrate the <code>execAndWait</code> interceptor.
 */
public class LongProcessAction extends ActionSupport {
{code}
It is the sole purpose of this action to support a showcase for how Struts is able to handle
a long running request without facing request timeouts and with being able to update the browser
UI while the process is performed. Since this is the showcase app, we need to provide a dummy
implementation for a long running process to, well, showcase this behavior. Thread.sleep()
does exactly this. This call would be absolutely pointless in a productive application, yet
needed here to showcase the said feature. Have you tried it by starting the application?

{quote}
3	Hardcoded Password	Constants.java 	110	Hardcoded passwords can compromise system security
in a way that cannot be easily remedied.
{quote}

The line in doubt:
{code:java}
    public static final String EXPIRED_PASSWORD_EXCEPTION = "ExpiredPasswordException";
{code}
A code line that contains the letters ??password?? is not therefore a hardcoded password.
This is no hardcoded password whatsoever, which should be quite easy to see even for a novice
Java developer.

{quote}
4	Password (Un encrypted )
in a config file	alternate.properties 	1	Storing a plaintext password in a configuration file
may result in a system compromise.
{quote}

The line in doubt:
{code:java}
password=Enter your Password here ==>
{code}
A code line that contains the letters ??password=?? is not therefore a hardcoded password.
With some deeper understanding of the Struts framework and the code presented here you would
have known that this is a resource file containing internationalized texts for UI labels and
components. This is no hardcoded password whatsoever.

{quote}
5	Unreleased Resources	ApplicationListener.java	219	The function calculatePath() in ApplicationListener.java
sometimes fails to release a system resource allocated by getResourceAsStream() on line 219.The
program can potentially fail to release a system resource.
{quote}

The line in doubt:
{code:java}
    InputStream is =
             context.getResourceAsStream(pathname);
{code}
As I stated in my e-mail reply, this is sloppy code, indeed. However, this is part of a dummy
implementation within a demonstration application and not part of the framework itself. Since
it is not our objective to provide a programming course for Java developers and since the
code is a lower level implementation detail of a dummy user database component that is not
even related to a productive implementation scenario, this code does not qualify for being
considered as a vulnerability. However, this code qualifies for improvement. So feel free
to file a separate issue to request a improvement of this code, preferably with a patch attached.

> Struts 2.3.20 web applications - Potential vulnerabilities 
> -----------------------------------------------------------
>
>                 Key: WW-4487
>                 URL: https://issues.apache.org/jira/browse/WW-4487
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Example Applications
>    Affects Versions: 2.3.20
>            Reporter: M.Eng Info Sec Concordia University
>            Priority: Trivial
>              Labels: Concordia, Info, M.Eng, Sec, University
>
> Dear Struts 2.x Development Team, 
> As part of our Master's Program course(M-Eng. Information System Security) project ,
we choose tried to analyse and find potential security issues in Struts 2.3.20 web applications
(included as war files in the struts installation bundle) . Below are the unique list of vulnerabilities
we found . Since software developers use these war files as a platform to build real world
applications, the identified vulnerabilities would be present in the actual applications as
well. Please analyse the vulnerabilities carefully . We hope that this exercise would help
you to fix the vulnerabilities in a future release.
> Sl 
> No	Vulnerability Type	File Name 	Line No	Summary
> 1	Privacy Violation	MailreaderSupport.java 	374	The method findUser() in MailreaderSupport.java
mishandles confidential information, which can compromise user privacy and is often illegal.Mishandling
private information, such as customer passwords or social security numbers, can compromise
user privacy and is often illegal. 
> 2	Denial of Service	LongProcessAction.java 	35	The call to sleep() at LongProcessAction.java
line 35 allows an attacker to crash the program or otherwise make it unavailable to legitimate
users.An attacker could cause the program to crash or otherwise become unavailable to legitimate
users.
> 3	Hardcoded Password	Constants.java 	110	Hardcoded passwords can compromise system security
in a way that cannot be easily remedied.
> 4	Password (Un encrypted )
> in a config file	alternate.properties 	1	Storing a plaintext password in a configuration
file may result in a system compromise.
> 5	Unreleased Resources	ApplicationListener.java	219	The function calculatePath() in ApplicationListener.java
sometimes fails to release a system resource allocated by getResourceAsStream() on line 219.The
program can potentially fail to release a system resource.
> Thanks and Regards



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message