possibly excludeParams with (reg-exp) patterns to exclude
<interceptor-ref name="params">
<param name="excludeParams"><a href*>
,^struts\..*</param>
</interceptor-ref>
would clean malicious anchor tags
http://struts.apache.org/2.0.14/struts2-core/apidocs/com/opensymphony/xwork2/interceptor/ParametersInterceptor.html
interested in hearing of ParameterNameAware solution
thanks,
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> Date: Tue, 30 Jun 2009 16:54:08 -0700
> Subject: Re: Struts2 Bean Setter Attack
> From: [email protected]
> To: [email protected]
>
> There are around 25.8 ways to prevent this, some options are to block
> it in the params interceptor config, to configure the remove
> parameters interceptor, to implement ParameterNameAware and filter out
> evil parameters.
>
> musachy
>
> On Tue, Jun 30, 2009 at 3:40 PM, smart acer<[email protected]> wrote:
> > We need an object for example CustomerData in session. We have configured it
> > through struts2 xml, session scope.
> >
> > Base Action class has a getter and setter for this bean. getCustomerData(),
> > setCustomerData()
> >
> > Since it has a setter on action class (setter is needed to put it on session
> > thru struts2), we believe it is open to object setter attack through Form
> > Post. One can for example post with customerData.address and struts2 would
> > automatically set this data on the object. This attribute is suppose to be
> > READ ONLY or ONLY System can set it, not from UI.
> >
> > Any idea how we can prevent this issue? I am surprised this kind of security
> > issue is there with struts2, what are we missing? Is there a interceptor we
> > need to configure to prevent this?
> >
> > Thanks
> >
>
>
>
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009
