[
https://issues.apache.org/struts/browse/WW-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42427
]
Antonio Petrelli commented on WW-2264:
--------------------------------------
Don, probably I have not been clear with what I meant.
The problem is not in the session values itself, but how they are evaluated.
If the session remains untouched, but you evaluate the "overridden" session
map, and in this map there is a malicious code (for example, System.exit),
there is a security hole indeed.
The question that I raised is: are these "overridden" session attributes
evaluated by OGNL as OGNL expressions? Or do they remain only strings?
> A session value is overwrited by requesting.
> --------------------------------------------
>
> Key: WW-2264
> URL: https://issues.apache.org/struts/browse/WW-2264
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 2.0.9
> Environment: I tested in struts2.0.9
> Reporter: Hisato Killing
> Priority: Critical
> Attachments: s2inject.zip
>
>
> The attacker can inject the given value into session map by clicking
> following URL.
> http://example.com/SomeAction.action?session.somekey=someValue
> [[A session value is overwrited by demanding a browser. ]]
> FROM: [EMAIL PROTECTED]
> TO: struts-dev
> >>>>
> 1.This problem is caused in struts 2.0.9 and others perhaps.
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAware.
> ii. And It is defined in struts-default.
> iii. devMode is true or false.
> ["someValue"] of the name of "someKey" enters in SessionMap when the
> request shown in that URL is processed.
> It is meant that ["someValue"] is an array including "someValue".
> This causes ClassCastException in case of almost.
> [EMAIL PROTECTED]
> It is thought that this only has to be my mistake ,setting etc.
> Thanks
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
