struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeromy Evans <jeromy.ev...@blueskyminds.com.au>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 07:03:21 GMT
Is there a policy or person in the struts2, webwork or apache team with 
a PR role that's going to announce the vulnerability? 

I'm obliged to keep my clients informed and I'd rather point them to a 
factual article announced by the community than to a misinformed post 
that will undoubtedly soon appear on theserverside.com, slashdot or a 
vulnerability site.

Don Brown wrote:
> If your application is displaying user input without checking for
> malicious code, you have a problem whether Struts 2 evaluations ognl
> expressions or not.    This is how the majority of Cross-Site
> Scripting (XSS) [1] attacks work, tricking the user into visiting a
> page that the attacker has placed JavaScript that steals their
> cookies.
>
> That said, the average Struts developer may not be aware of how OGNL
> is being used here, so we should do something to better protect the
> application.
>
> I'm taking this discussion over to the dev@ list.
>
> Don
>
> [1] http://en.wikipedia.org/wiki/Cross-site_scripting
>
> On 7/16/07, Aram Mkhitaryan <aram.mkhitaryan@googlemail.com> wrote:
>> Maybe it's new just for me, but I found out one of the main reasons 
>> of the
>> problem
>>
>> try to submit "%{@java.lang.System@exit(0)}" in the viewable property
>> for example you submit a text, and it is displayed by s2's tags
>>
>> try and have fun ...
>>
>> this expression works and my server shuts down!
>>
>> the problem I mentioned is that when I say "print property" it 
>> executes it
>> at first ...
>> but it should not! I'm right, amn't I?
>>
>> why it executes the string value in my property?
>> (it's not just a problem, it's a security risk, the users can hack s2 
>> sites)
>> (at least who may read this message will know that he can hack s2 
>> sites and
>> the simplest way is given above)
>>
>> that's why even when you do not use ognl expressions, it still works 
>> and it
>> costs ...
>>
>> Best,
>> Aram
>> ________________________________
>> Aram Mkhitaryan
>>
>> 52, 25 Lvovyan, Yerevan 375000, Armenia
>>
>> Mobile: +374 91 518456
>> E-mail: aram.mkhitaryan@googlemail.com
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message