From issues-return-13939-apmail-struts-issues-archive=struts.apache.org@struts.apache.org Sat Sep 26 18:36:13 2009
Return-Path: <issues-return-13939-apmail-struts-issues-archive=struts.apache.org@struts.apache.org>
Delivered-To: apmail-struts-issues-archive@minotaur.apache.org
Received: (qmail 40125 invoked from network); 26 Sep 2009 18:36:13 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 26 Sep 2009 18:36:13 -0000
Received: (qmail 59947 invoked by uid 500); 26 Sep 2009 18:36:12 -0000
Delivered-To: apmail-struts-issues-archive@struts.apache.org
Received: (qmail 59895 invoked by uid 500); 26 Sep 2009 18:36:12 -0000
Mailing-List: contact issues-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@struts.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@struts.apache.org>
List-Post: <mailto:issues@struts.apache.org>
List-Id: <issues.struts.apache.org>
Reply-To: dev@struts.apache.org
Delivered-To: mailing list issues@struts.apache.org
Received: (qmail 59887 invoked by uid 99); 26 Sep 2009 18:36:12 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 26 Sep 2009 18:36:12 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 26 Sep 2009 18:36:09 +0000
Received: from brutus (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id 5DC10234C045
	for <issues@struts.apache.org>; Sat, 26 Sep 2009 11:35:48 -0700 (PDT)
Message-ID: <1829711292.1253990148381.JavaMail.jira@brutus>
Date: Sat, 26 Sep 2009 11:35:48 -0700 (PDT)
From: "Alex Siman (JIRA)" <jira@apache.org>
To: issues@struts.apache.org
Subject: [jira] Commented: (WW-3264) Vulnerability of dynamic method
 invocation
In-Reply-To: <439353099.1253929848722.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 2265bf7ad70cb93affdfde3e15287371
X-Virus-Checked: Checked by ClamAV on apache.org


    [ https://issues.apache.org/struts/browse/WW-3264?page=3Dcom.atlassian.=
jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D46845=
#action_46845 ]=20

Alex Siman commented on WW-3264:
--------------------------------

thanx for your understanding))

> Vulnerability of dynamic method invocation
> ------------------------------------------
>
>                 Key: WW-3264
>                 URL: https://issues.apache.org/struts/browse/WW-3264
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.1.8
>            Reporter: Alex Siman
>            Priority: Critical
>
> Dynamic method invocation is the security hole. If some of action methods=
 has "public" visibility and return String, then attacker can call this met=
hod. In the example below, attacker can call method "changeAdminPassword()"=
 of TestAction from URL like:
> http://example.com/test!changeAdminPassword.action
> public class TestAction
> {
>     private String currentPassword =3D null;
>     @SkipValidation
>     public String execute() throws Exception
>     {
>         if (getValidCurrentPassword().equals(currentPassword))
>         {
>             String feedback =3D changeAdminPassword();
>             addActionMessage(feedback);
>             return SUCCESS;
>         }
>         else
>         {
>             addFieldError("currentPassword", "Invalid password.");
>             return INPUT;
>         }
>     }
>     // Note "public" visibility here.
>     public String changeAdminPassword()
>     {
>         String newPassword =3D "new-admin";
>         // Persist changes here...
>         return "Admin password has been changed to '" + newPassword + "'.=
";
>     }
>    =20
>     public String getCurrentPassword()
>     {
>         return currentPassword;
>     }
>     public void setCurrentPassword(String currentPassword)
>     {
>         this.currentPassword =3D currentPassword;
>     }
> }
> To fix this vulnerability we must leverage the [com.opensymphony.xwork2.c=
onfig.entities.ActionConfig.allowedMethods].
> And to prevent backward incompatibility add new default setting like:
> default.properties
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> ## Note "false".
> struts.enable.DynamicMethodInvocation.restrictToAllowedMethods =3D false
> Desired code in struts.xml
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
> <package name=3D"testPackage">
>     <action name=3D"login" class=3D"actions.LoginAction">
>         <result>/login.jsp</result>
>         <allowedMethods>
>             <allowedMethod>doLogin</allowedMethod>
>         </allowedMethods>
>     </action>
>     <allowedMethods class=3D"actions.LoginAction">
>         <allowedMethod>doLogin</allowedMethod>
>         <allowedMethod>doRegister</allowedMethod>
>     </allowedMethods>
>     <!=E2=80=94 Or use <method>? -->
>     <allowedMethods class=3D"actions.UserAction">
>         <method>create</method>
>         <method>list</method>
>         <method>view</method>
>         <!-- ... -->
>     </allowedMethods>
> </package>
> Desired code w/ Convention plugin:
> (Note @AllowedMethod anno)
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> class LoginAction=20
> {
>     @SkipValidation
>     public String execute()
>     {
>         // Nothing.
>         return INPUT;
>     }
>     @AllowedMethod
>     public String doLogin()
>     {
>         // Method's body here...
>         // password =3D getPasswordHash();
>         return SUCCESS;
>     }
>     // This method cannot be invoked dynamically.
>     public String getPasswordHash()
>     {
>         // Method's body here...
>         return "xxx";
>     }
> }

--=20
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.