[
https://issues.apache.org/jira/browse/WW-3631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremy Long updated WW-3631:
----------------------------
Attachment: Struts2Test.zip
The attached code is a Netbeans project that demos the issue discussed.
> Implementing SessionAware allows session tampering
> --------------------------------------------------
>
> Key: WW-3631
> URL: https://issues.apache.org/jira/browse/WW-3631
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 2.1.8.1
> Environment: Tested using Glassfish v3.
> Reporter: Jeremy Long
> Priority: Critical
> Labels: security
> Attachments: Struts2Test.zip
>
>
> This was previously raised as an issue under WW-2264. After the discussion it
> was determined that this is not a bug - I disagree and would like to raise
> the issue again.
> If an Action implements SessionAware the contents of the session are
> modifiable, this includes the public setters on objects stored in the session.
> Ok, for the Action to be able to modify the contents of the session it must
> also implement a "public Map getSession()". However, even if the Action does
> not implement a getSession method it is still possible for an attacker to
> tamper with the contents of the HttpSession and affect the processesing of
> the Action.
> I agree with the solutions previously discussed in WW-2264 that 'session'
> should be added to the parameter exclusion list in the struts-default.xml.
> Additionally, a warning should be added to the JavaDoc for SessionAware
> indicating the possible issue with exposing the session via the interface and
> that if the configuration of the intercepters does not explicitly exclude
> 'session' in the paramExclude node that it is possible for a requester to
> modify the session.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
