[jira] [Closed] (WW-4487) Struts 2.3.20 web applications - Potential vulnerabilities

[Lukasz Lenart (JIRA)]

     [ 
https://issues.apache.org/jira/browse/WW-4487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukasz Lenart closed WW-4487.
-----------------------------
    Resolution: Not A Problem

> Struts 2.3.20 web applications - Potential vulnerabilities 
> -----------------------------------------------------------
>
>                 Key: WW-4487
>                 URL: https://issues.apache.org/jira/browse/WW-4487
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Example Applications
>    Affects Versions: 2.3.20
>            Reporter: M.Eng Info Sec Concordia University
>            Priority: Trivial
>              Labels: Concordia, Info, M.Eng, Sec, University
>
> Dear Struts 2.x Development Team, 
> As part of our Master's Program course(M-Eng. Information System Security) 
> project , we choose tried to analyse and find potential security issues in 
> Struts 2.3.20 web applications (included as war files in the struts 
> installation bundle) . Below are the unique list of vulnerabilities we found 
> . Since software developers use these war files as a platform to build real 
> world applications, the identified vulnerabilities would be present in the 
> actual applications as well. Please analyse the vulnerabilities carefully . 
> We hope that this exercise would help you to fix the vulnerabilities in a 
> future release.
> Sl 
> No    Vulnerability Type      File Name       Line No Summary
> 1     Privacy Violation       MailreaderSupport.java  374     The method 
> findUser() in MailreaderSupport.java mishandles confidential information, 
> which can compromise user privacy and is often illegal.Mishandling private 
> information, such as customer passwords or social security numbers, can 
> compromise user privacy and is often illegal. 
> 2     Denial of Service       LongProcessAction.java  35      The call to 
> sleep() at LongProcessAction.java line 35 allows an attacker to crash the 
> program or otherwise make it unavailable to legitimate users.An attacker 
> could cause the program to crash or otherwise become unavailable to 
> legitimate users.
> 3     Hardcoded Password      Constants.java  110     Hardcoded passwords can 
> compromise system security in a way that cannot be easily remedied.
> 4     Password (Un encrypted )
> in a config file      alternate.properties    1       Storing a plaintext 
> password in a configuration file may result in a system compromise.
> 5     Unreleased Resources    ApplicationListener.java        219     The 
> function calculatePath() in ApplicationListener.java sometimes fails to 
> release a system resource allocated by getResourceAsStream() on line 219.The 
> program can potentially fail to release a system resource.
> Thanks and Regards



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)