I'm glad to see so many people joining the discussion, but let's please take this to the dev list. There are a lot of Struts committers and contributors that don't read this user list. So please, no more messages on this thread for this list.
Don On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote:
If your application is displaying user input without checking for malicious code, you have a problem whether Struts 2 evaluations ognl expressions or not. This is how the majority of Cross-Site Scripting (XSS) [1] attacks work, tricking the user into visiting a page that the attacker has placed JavaScript that steals their cookies. That said, the average Struts developer may not be aware of how OGNL is being used here, so we should do something to better protect the application. I'm taking this discussion over to the dev@ list. Don [1] http://en.wikipedia.org/wiki/Cross-site_scripting On 7/16/07, Aram Mkhitaryan <[EMAIL PROTECTED]> wrote: > Maybe it's new just for me, but I found out one of the main reasons of the > problem > > try to submit "[EMAIL PROTECTED]@exit(0)}" in the viewable property > for example you submit a text, and it is displayed by s2's tags > > try and have fun ... > > this expression works and my server shuts down! > > the problem I mentioned is that when I say "print property" it executes it > at first ... > but it should not! I'm right, amn't I? > > why it executes the string value in my property? > (it's not just a problem, it's a security risk, the users can hack s2 sites) > (at least who may read this message will know that he can hack s2 sites and > the simplest way is given above) > > that's why even when you do not use ognl expressions, it still works and it > costs ... > > Best, > Aram > ________________________________ > Aram Mkhitaryan > > 52, 25 Lvovyan, Yerevan 375000, Armenia > > Mobile: +374 91 518456 > E-mail: [EMAIL PROTECTED] >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
