If your application is displaying user input without checking for malicious code, you have a problem whether Struts 2 evaluations ognl expressions or not. This is how the majority of Cross-Site Scripting (XSS) [1] attacks work, tricking the user into visiting a page that the attacker has placed JavaScript that steals their cookies.
That said, the average Struts developer may not be aware of how OGNL is being used here, so we should do something to better protect the application. I'm taking this discussion over to the dev@ list. Don [1] http://en.wikipedia.org/wiki/Cross-site_scripting On 7/16/07, Aram Mkhitaryan <[EMAIL PROTECTED]> wrote:
Maybe it's new just for me, but I found out one of the main reasons of the problem try to submit "[EMAIL PROTECTED]@exit(0)}" in the viewable property for example you submit a text, and it is displayed by s2's tags try and have fun ... this expression works and my server shuts down! the problem I mentioned is that when I say "print property" it executes it at first ... but it should not! I'm right, amn't I? why it executes the string value in my property? (it's not just a problem, it's a security risk, the users can hack s2 sites) (at least who may read this message will know that he can hack s2 sites and the simplest way is given above) that's why even when you do not use ognl expressions, it still works and it costs ... Best, Aram ________________________________ Aram Mkhitaryan 52, 25 Lvovyan, Yerevan 375000, Armenia Mobile: +374 91 518456 E-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]