Implementing SessionAware allows session tampering
--------------------------------------------------
Key: WW-3631
URL: https://issues.apache.org/jira/browse/WW-3631
Project: Struts 2
Issue Type: Bug
Components: Value Stack
Affects Versions: 2.1.8.1
Environment: Tested using Glassfish v3.
Reporter: Jeremy Long
Priority: Critical
This was previously raised as an issue under WW-2264. After the discussion it
was determined that this is not a bug - I disagree and would like to raise the
issue again.
If an Action implements SessionAware the contents of the session are
modifiable, this includes the public setters on objects stored in the session.
Ok, for the Action to be able to modify the contents of the session it must
also implement a "public Map getSession()". However, even if the Action does
not implement a getSession method it is still possible for an attacker to
tamper with the contents of the HttpSession and affect the processesing of the
Action.
I agree with the solutions previously discussed in WW-2264 that 'session'
should be added to the parameter exclusion list in the struts-default.xml.
Additionally, a warning should be added to the JavaDoc for SessionAware
indicating the possible issue with exposing the session via the interface and
that if the configuration of the intercepters does not explicitly exclude
'session' in the paramExclude node that it is possible for a requester to
modify the session.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
