[
https://issues.apache.org/struts/browse/WW-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42439
]
Hisato Killing commented on WW-2264:
------------------------------------
At last, this problem was able to be understood thanks to everybody :)
I will close this issue for the following reasons.
1. The query above never puts the value in HttpSession itself.
2. Map passed to Action has the possibility to be orver-written. However,
this is a quite new map, and the processing continuance of Action is
done difficultly.
3. The problem of 2 can be blocked. Because query evaluted as simple String.
Thank you !!
> A session value is overwrited by requesting.
> --------------------------------------------
>
> Key: WW-2264
> URL: https://issues.apache.org/struts/browse/WW-2264
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 2.0.9
> Environment: I tested in struts2.0.9
> Reporter: Hisato Killing
> Priority: Critical
> Attachments: s2inject.zip
>
>
> The attacker can inject the given value into session map by clicking
> following URL.
> http://example.com/SomeAction.action?session.somekey=someValue
> [[A session value is overwrited by demanding a browser. ]]
> FROM: [EMAIL PROTECTED]
> TO: struts-dev
> >>>>
> 1.This problem is caused in struts 2.0.9 and others perhaps.
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAware.
> ii. And It is defined in struts-default.
> iii. devMode is true or false.
> ["someValue"] of the name of "someKey" enters in SessionMap when the
> request shown in that URL is processed.
> It is meant that ["someValue"] is an array including "someValue".
> This causes ClassCastException in case of almost.
> [EMAIL PROTECTED]
> It is thought that this only has to be my mistake ,setting etc.
> Thanks
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
