struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeremy Long (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-3631) Implementing SessionAware allows session tampering
Date Fri, 24 Feb 2012 10:59:49 GMT

    [ https://issues.apache.org/jira/browse/WW-3631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215553#comment-13215553
] 

Jeremy Long commented on WW-3631:
---------------------------------

Lukasz,

I believe Abraham Kang found an different issues with ServletRequestAware
but I don't know if he has notified anyone of it yet. I cced him as it
would be trivial to add a block for that too while fixing this issue.

With regards to the other *Aware interfaces I couldn't find a way to
exploit ServletResponseAware or ParameterAware - not saying there aren't
other issues there, but I couldn't come up with anything. However, I might
suggest proactively protecting the ServletResponseAware and ParameterAware
too.

Abe - anything else?

So the excludeParams should be:

{code:xml}
<param
name="excludeParams">dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*</param>
{code}

--Jeremy

On Fri, Feb 24, 2012 at 3:34 AM, Lukasz Lenart (Commented) (JIRA) <


                
> Implementing SessionAware allows session tampering
> --------------------------------------------------
>
>                 Key: WW-3631
>                 URL: https://issues.apache.org/jira/browse/WW-3631
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Value Stack
>    Affects Versions: 2.1.8.1
>         Environment: Tested using Glassfish v3.
>            Reporter: Jeremy Long
>            Assignee: Lukasz Lenart
>            Priority: Critical
>              Labels: security
>             Fix For: 2.3.2
>
>         Attachments: Struts2Test.zip
>
>
> This was previously raised as an issue under WW-2264. After the discussion it was determined
that this is not a bug - I disagree and would like to raise the issue again.
> If an Action implements SessionAware the contents of the session are modifiable, this
includes the public setters on objects stored in the session.
> Ok, for the Action to be able to modify the contents of the session it must also implement
a "public Map getSession()". However, even if the Action does not implement a getSession method
it is still possible for an attacker to tamper with the contents of the HttpSession and affect
the processesing of the Action.
> I agree with the solutions previously discussed in WW-2264 that 'session' should be added
to the parameter exclusion list in the struts-default.xml. Additionally, a warning should
be added to the JavaDoc for SessionAware indicating the possible issue with exposing the session
via the interface and that if the configuration of the intercepters does not explicitly exclude
'session' in the paramExclude node that it is possible for a requester to modify the session.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message