[
https://issues.apache.org/jira/browse/WW-4487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
M.Eng Info Sec Concordia University updated WW-4487:
----------------------------------------------------
Labels: Concordia Info M.Eng Sec University (was: )
> Struts 2.3.20 web applications - Potential vulnerabilities
> -----------------------------------------------------------
>
> Key: WW-4487
> URL: https://issues.apache.org/jira/browse/WW-4487
> Project: Struts 2
> Issue Type: Bug
> Components: Example Applications
> Affects Versions: 2.3.23
> Reporter: M.Eng Info Sec Concordia University
> Priority: Trivial
> Labels: Concordia, Info, M.Eng, Sec, University
>
> Dear Struts 2.x Development Team,
> As part of our Master's Program course(M-Eng. Information System Security)
> project , we choose tried to analyse and find potential security issues in
> Struts 2.3.20 web applications (included as war files in the struts
> installation bundle) . Below are the unique list of vulnerabilities we found
> . Since software developers use these war files as a platform to build real
> world applications, the identified vulnerabilities would be present in the
> actual applications as well. Please analyse the vulnerabilities carefully .
> We hope that this exercise would help you to fix the vulnerabilities in a
> future release.
> Sl
> No Vulnerability Type File Name Line No Summary
> 1 Privacy Violation MailreaderSupport.java 374 The method
> findUser() in MailreaderSupport.java mishandles confidential information,
> which can compromise user privacy and is often illegal.Mishandling private
> information, such as customer passwords or social security numbers, can
> compromise user privacy and is often illegal.
> 2 Denial of Service LongProcessAction.java 35 The call to
> sleep() at LongProcessAction.java line 35 allows an attacker to crash the
> program or otherwise make it unavailable to legitimate users.An attacker
> could cause the program to crash or otherwise become unavailable to
> legitimate users.
> 3 Hardcoded Password Constants.java 110 Hardcoded passwords can
> compromise system security in a way that cannot be easily remedied.
> 4 Password (Un encrypted )
> in a config file alternate.properties 1 Storing a plaintext
> password in a configuration file may result in a system compromise.
> 5 Unreleased Resources ApplicationListener.java 219 The
> function calculatePath() in ApplicationListener.java sometimes fails to
> release a system resource allocated by getResourceAsStream() on line 219.The
> program can potentially fail to release a system resource.
> Thanks and Regards
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
