[jira] [Commented] (WW-3631) Implementing SessionAware allows session tampering

Sun, 04 Dec 2011 07:18:05 -0800 

    [ 
https://issues.apache.org/jira/browse/WW-3631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13162408#comment-13162408
 ] 

Jeremy Long commented on WW-3631:
---------------------------------

Lukasz,

Could you tell me what the fix will be in 3.x and what kind of timeline
there is for the 3.x version?

--Jeremy

On Sun, Dec 4, 2011 at 6:03 AM, Lukasz Lenart (Updated) (JIRA) <


                
> Implementing SessionAware allows session tampering
> --------------------------------------------------
>
>                 Key: WW-3631
>                 URL: https://issues.apache.org/jira/browse/WW-3631
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Value Stack
>    Affects Versions: 2.1.8.1
>         Environment: Tested using Glassfish v3.
>            Reporter: Jeremy Long
>            Priority: Critical
>              Labels: security
>             Fix For: 3.x
>
>         Attachments: Struts2Test.zip
>
>
> This was previously raised as an issue under WW-2264. After the discussion it 
> was determined that this is not a bug - I disagree and would like to raise 
> the issue again.
> If an Action implements SessionAware the contents of the session are 
> modifiable, this includes the public setters on objects stored in the session.
> Ok, for the Action to be able to modify the contents of the session it must 
> also implement a "public Map getSession()". However, even if the Action does 
> not implement a getSession method it is still possible for an attacker to 
> tamper with the contents of the HttpSession and affect the processesing of 
> the Action.
> I agree with the solutions previously discussed in WW-2264 that 'session' 
> should be added to the parameter exclusion list in the struts-default.xml. 
> Additionally, a warning should be added to the JavaDoc for SessionAware 
> indicating the possible issue with exposing the session via the interface and 
> that if the configuration of the intercepters does not explicitly exclude 
> 'session' in the paramExclude node that it is possible for a requester to 
> modify the session.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to