[jira] [Commented] (WW-3631) Implementing SessionAware allows session tampering

[Jeremy Long (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-3631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13162417#comment-13162417
 ] 

Jeremy Long commented on WW-3631:
---------------------------------

Thanks - so what about even Struts 2 use of this interface in things such
as DirectRenderFromEventAction:
http://struts.apache.org/2.0.11/struts2-core/apidocs/org/apache/struts2/portlet/dispatcher/DirectRenderFromEventAction.html

I have not used or seen the Struts2 Portlets in use, so I'm unsure whether
a problem might exist there.

Lastly - while not putting an actual fix in place, could the JavaDoc at
least be updated to indicate that there is a possible security concern with
implementing SessionAware or RequestAware?

Thanks,

--Jeremy

On Sun, Dec 4, 2011 at 10:39 AM, Dave Newton (Commented) (JIRA) <


                
> Implementing SessionAware allows session tampering
> --------------------------------------------------
>
>                 Key: WW-3631
>                 URL: https://issues.apache.org/jira/browse/WW-3631
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Value Stack
>    Affects Versions: 2.1.8.1
>         Environment: Tested using Glassfish v3.
>            Reporter: Jeremy Long
>            Priority: Critical
>              Labels: security
>             Fix For: 3.x
>
>         Attachments: Struts2Test.zip
>
>
> This was previously raised as an issue under WW-2264. After the discussion it 
> was determined that this is not a bug - I disagree and would like to raise 
> the issue again.
> If an Action implements SessionAware the contents of the session are 
> modifiable, this includes the public setters on objects stored in the session.
> Ok, for the Action to be able to modify the contents of the session it must 
> also implement a "public Map getSession()". However, even if the Action does 
> not implement a getSession method it is still possible for an attacker to 
> tamper with the contents of the HttpSession and affect the processesing of 
> the Action.
> I agree with the solutions previously discussed in WW-2264 that 'session' 
> should be added to the parameter exclusion list in the struts-default.xml. 
> Additionally, a warning should be added to the JavaDoc for SessionAware 
> indicating the possible issue with exposing the session via the interface and 
> that if the configuration of the intercepters does not explicitly exclude 
> 'session' in the paramExclude node that it is possible for a requester to 
> modify the session.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira