DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4997>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4997 ActionForm exposes the ActionServlet, which has String properties that can be changed via a HTTP request. Summary: ActionForm exposes the ActionServlet, which has String properties that can be changed via a HTTP request. Product: Struts Version: 1.0 Final Platform: All OS/Version: Other Status: NEW Severity: Major Priority: Other Component: Controller AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] When the dotted syntax was added to the autopopulation mechanism, it has the side affect of exposing all public String properties on the nested object to HTTP. Any of these can then be changed by any user via a HTTP query string. The ActionServlet is exposed by the Struts ActionForm, so the temporary folder and upload buffer size properties could be altered, creating a Denial of Service situation. The proposed fix is to enclose the ActionServlet property in a wrapper which safely exposes only the properties needed by the framework, and cannot be exploited. See annexed for a complete discussion. Ted Husted is to apply a patch. Many thanks to Dmitri Plotnikov who first reported this exploit. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
