[jira] Commented: (WW-2264) A session value is overwrited by requesting.

Thu, 18 Oct 2007 12:37:01 -0700 

    [ 
https://issues.apache.org/struts/browse/WW-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42416
 ] 

Philip Luppens commented on WW-2264:
------------------------------------

Indeed, I can confirm this behaviour - I am able to set a property on a 
non-public map property with a public setter. There definitely is a fallback to 
the property, even if it's declared private. So the security problems still 
stands. Quite strange, because from the first looks of it, our memberaccess 
declared in XW shouldn't allow it.

When a public setter is available, access to a protected/private map is in fact 
granted, and we are allowed to change/set variables.

To test this, I added the following in SimpleAction:

public void setThePrivateMap(Map map) {
    this.protectedMap = map;
}

Note, no public getter.

And in the testcase ParametersInterceptorTest:
public void testParametersNotAccessProtectedMethods() throws Exception {
    ...
   params.put("thePrivateMap.koo", "This is blah");
   ...
}


> A session value is overwrited by requesting.
> --------------------------------------------
>
>                 Key: WW-2264
>                 URL: https://issues.apache.org/struts/browse/WW-2264
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Value Stack
>    Affects Versions: 2.0.9
>         Environment: I tested in struts2.0.9
>            Reporter: Hisato Killing
>            Priority: Critical
>         Attachments: s2inject.zip
>
>
> The attacker can inject the given value into session map by clicking 
> following URL. 
> http://example.com/SomeAction.action?session.somekey=someValue
> [[A session value is overwrited by demanding a browser. ]]
> FROM:  [EMAIL PROTECTED] 
> TO: struts-dev
> >>>> 
> 1.This problem is caused in struts 2.0.9 and others perhaps.
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAware.
> ii. And It is defined in struts-default.
> iii. devMode is true or false.
> ["someValue"] of the name of "someKey" enters in SessionMap when the
> request shown in that URL is processed.
> It is meant that ["someValue"]  is an array including "someValue".
> This causes ClassCastException in case of almost.
> [EMAIL PROTECTED]
> It is thought that this only has to be my mistake ,setting etc.
> Thanks

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to