[jira] [Issue Comment Edited] (WW-3668) Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error.

Mon, 08 Aug 2011 19:18:52 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-3668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081300#comment-13081300
 ] 

Hideyuki Suzumi edited comment on WW-3668 at 8/9/11 2:18 AM:
-------------------------------------------------------------

Please try:
<' + #application + '>

This input is converted into the following OGNL expression:
'<' + #application + '>'

"Integer Validator Field" displays the following value:
<{org.apache.catalina.resources=org.apache.naming.resources.ProxyDirContext@13577ca,
 
sitemesh.factory=com.opensymphony.module.sitemesh.factory.DefaultFactory@1e881b6,
 
org.apache.jasper.runtime.JspApplicationContextImpl=org.apache.jasper.runtime.JspApplicationContextImpl@d200d8,
 ..., .freemarker.JspTaglibs=freemarker.ext.jsp.TaglibFactory@14b9b80}>

      was (Author: slopetown):
    Please try:
<' + #application + '>

This input is converted into the following OGNL expression:
'<' + #application + '>'
  
> Vulnerability: User input is evaluated as an OGNL expression when there's a 
> conversion error.
> ---------------------------------------------------------------------------------------------
>
>                 Key: WW-3668
>                 URL: https://issues.apache.org/jira/browse/WW-3668
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.2.3
>         Environment: Struts 2.2.3
> Tomcat 7.0.19
>            Reporter: Hideyuki Suzumi
>
> 1. Run "Struts Showcase".
> 2. Click "Validation".
> 3. Click "Field Validators".
> 4. Type "<' + #application + '>" in the "Integer Validator Field".
> 5. Click "Submit".
> 6. You can get all "application" scoped variables in the "Integer Validator 
> Field".
> Please fix ConversionErrorInterceptor and 
> RepopulateConversionErrorFieldValidatorSupport.
> com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor
> 87:        return "'" + value + "'";
> com.opensymphony.xwork2.validator.validators.RepopulateConversionErrorFieldValidatorSupport
> 175:                    fakeParams.put(fullFieldName, "'" + tmpValue[0] + 
> "'");
> 182:                fakeParams.put(fullFieldName, "'" + tmpValue + "'");

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to