[ https://issues.apache.org/jira/browse/WW-4487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart closed WW-4487. ----------------------------- Resolution: Not A Problem > Struts 2.3.20 web applications - Potential vulnerabilities > ----------------------------------------------------------- > > Key: WW-4487 > URL: https://issues.apache.org/jira/browse/WW-4487 > Project: Struts 2 > Issue Type: Bug > Components: Example Applications > Affects Versions: 2.3.20 > Reporter: M.Eng Info Sec Concordia University > Priority: Trivial > Labels: Concordia, Info, M.Eng, Sec, University > > Dear Struts 2.x Development Team, > As part of our Master's Program course(M-Eng. Information System Security) > project , we choose tried to analyse and find potential security issues in > Struts 2.3.20 web applications (included as war files in the struts > installation bundle) . Below are the unique list of vulnerabilities we found > . Since software developers use these war files as a platform to build real > world applications, the identified vulnerabilities would be present in the > actual applications as well. Please analyse the vulnerabilities carefully . > We hope that this exercise would help you to fix the vulnerabilities in a > future release. > Sl > No Vulnerability Type File Name Line No Summary > 1 Privacy Violation MailreaderSupport.java 374 The method > findUser() in MailreaderSupport.java mishandles confidential information, > which can compromise user privacy and is often illegal.Mishandling private > information, such as customer passwords or social security numbers, can > compromise user privacy and is often illegal. > 2 Denial of Service LongProcessAction.java 35 The call to > sleep() at LongProcessAction.java line 35 allows an attacker to crash the > program or otherwise make it unavailable to legitimate users.An attacker > could cause the program to crash or otherwise become unavailable to > legitimate users. > 3 Hardcoded Password Constants.java 110 Hardcoded passwords can > compromise system security in a way that cannot be easily remedied. > 4 Password (Un encrypted ) > in a config file alternate.properties 1 Storing a plaintext > password in a configuration file may result in a system compromise. > 5 Unreleased Resources ApplicationListener.java 219 The > function calculatePath() in ApplicationListener.java sometimes fails to > release a system resource allocated by getResourceAsStream() on line 219.The > program can potentially fail to release a system resource. > Thanks and Regards -- This message was sent by Atlassian JIRA (v6.4.14#64029)