Is there a policy or person in the struts2, webwork or apache team with
a PR role that's going to announce the vulnerability?
I'm obliged to keep my clients informed and I'd rather point them to a
factual article announced by the community than to a misinformed post
that will undoubtedly soon appear on theserverside.com, slashdot or a
vulnerability site.
Don Brown wrote:
If your application is displaying user input without checking for
malicious code, you have a problem whether Struts 2 evaluations ognl
expressions or not. This is how the majority of Cross-Site
Scripting (XSS) [1] attacks work, tricking the user into visiting a
page that the attacker has placed JavaScript that steals their
cookies.
That said, the average Struts developer may not be aware of how OGNL
is being used here, so we should do something to better protect the
application.
I'm taking this discussion over to the dev@ list.
Don
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
On 7/16/07, Aram Mkhitaryan <[EMAIL PROTECTED]> wrote:
Maybe it's new just for me, but I found out one of the main reasons
of the
problem
try to submit "[EMAIL PROTECTED]@exit(0)}" in the viewable property
for example you submit a text, and it is displayed by s2's tags
try and have fun ...
this expression works and my server shuts down!
the problem I mentioned is that when I say "print property" it
executes it
at first ...
but it should not! I'm right, amn't I?
why it executes the string value in my property?
(it's not just a problem, it's a security risk, the users can hack s2
sites)
(at least who may read this message will know that he can hack s2
sites and
the simplest way is given above)
that's why even when you do not use ognl expressions, it still works
and it
costs ...
Best,
Aram
________________________________
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]