[
https://issues.apache.org/struts/browse/WW-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42417
]
Don Brown commented on WW-2264:
-------------------------------
Getting closer :) OGNL still does not access private or protected variables or
methods. What is happening is OGNL only sees a setter, so it creates a new
map, adds the request parameter to it, then sets it on the Action. Therefore,
the session map in question is being overridden, but not modified directly by
OGNL. I added a new unit test to ParametersInterceptorTest to prove this.
So the question remains, is this a gaping security hole? I'd argue not because
the session isn't being attacked. Is it a possible source of errors and
perhaps in some limited cases, security breaches? Yep, so I'd definitely
consider it a bug, but not one to warrant an immediate security release.
As for a quick solution, we could modify the parametersinterceptor config to by
default ignore the 'session' parameters. This can be done in
struts-default.xml or in the user's specific interceptor stack. Another
workaround for the user is to implement ParameterNameAware, which lets them
specify a list of acceptable parameters.
A new feature we could add would be a new annotation so that a user could
annotate which setters/getters can be accessed, which is probably a good idea
regardless.
> A session value is overwrited by requesting.
> --------------------------------------------
>
> Key: WW-2264
> URL: https://issues.apache.org/struts/browse/WW-2264
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 2.0.9
> Environment: I tested in struts2.0.9
> Reporter: Hisato Killing
> Priority: Critical
> Attachments: s2inject.zip
>
>
> The attacker can inject the given value into session map by clicking
> following URL.
> http://example.com/SomeAction.action?session.somekey=someValue
> [[A session value is overwrited by demanding a browser. ]]
> FROM: [EMAIL PROTECTED]
> TO: struts-dev
> >>>>
> 1.This problem is caused in struts 2.0.9 and others perhaps.
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAware.
> ii. And It is defined in struts-default.
> iii. devMode is true or false.
> ["someValue"] of the name of "someKey" enters in SessionMap when the
> request shown in that URL is processed.
> It is meant that ["someValue"] is an array including "someValue".
> This causes ClassCastException in case of almost.
> [EMAIL PROTECTED]
> It is thought that this only has to be my mistake ,setting etc.
> Thanks
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
