Re: [S2] Heads Up: possible DOS problem

Thu, 05 Jul 2007 09:53:42 -0700

Hope it can be fixed ASAP since I think that most of us users don't use the value parameter on most of their forms.
Do you think that it can be possibile to "trigger" the infinite loop using something else than %{something} ??? As you may know I'm faced with the problem of garbage but don't think my users write OGNL code in my fields :) 


Il giorno 05/lug/07, alle ore 18:46, Musachy Barroso ha scritto:


Implementing ParameterNameAware would solve the problem of someone  
tampering
the parameter name, but not entering %{} in the value. We need to  
prevent

both.

musachy

On 7/5/07, Musachy Barroso <[EMAIL PROTECTED]> wrote:



Another workaround is to implement ParameterNameAware, and return  
false
for parameters like "%{...}". I think that ParametersInterceptor  
needs to

check for values like that, just like it does with the names in
acceptableNames()

musachy

On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
>
> The DoS is because you can trigger an infinite loop.
>
> Please take a look at the jira issue.
>
> Looks like we need to do different things if the value is specified
> in the source code or if it's inserted in the field by the user.
>
> http://struts.apache.org/2.0.8/docs/tag-syntax.html
>
>
>
>
> Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto:
>
> > Possible DoS? Isn't this a remote exploit? Can you call arbitrary
> > methods?
> >
> > Bob
> >
> > On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
> >>

> >> some simple testing shows that the field value is simply  
evaluated...

>
> >>

> >> try to put on a struts textfield %{1+1} submit and you'll get  
"2" on

> >> the field...
> >>
> >> Cool but don't think it should be the default behaviour.
> >>
> >> What constructs can trigger recursion ?
> >>
> >>
> >> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto:
> >>
> >> > Antonio Petrelli <antonio.petrelli <at> gmail.com> writes:
> >> >
> >> >>
> >> >> Hi all,
> >> >> Andrea Vettori, in the Struts Users mailing list, probably
> >> discovered
> >> >> a possible Denial-Of-Service bug in Struts 2.
> >> >> The cause could be XWork.
> >> >>
> >> >
> >> > Hi,
> >> >

> >> > furthermore I'd like to know if there are other "values"  
that can

> >> > trigger the
> >> > problem.

> >> > Since I don't think that normal users of my site use that  
kind of

> >> > password,

> >> > I'm looking for whatever has triggered the problem about  
once a day

>
> >> > on my
> >> > e-commerce site...
> >> >

> >> > I've tried to follow the source of various classes but it's  
all new

> >> > to me so I'm
> >> > a bit lost.
> >> >
> >> > Thanks
> >> >
> >> >
> >> >

> >>  
---------------------------------------------------------------------

> >> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> > For additional commands, e-mail: [EMAIL PROTECTED]
> >> >
> >>
> >> --
> >> Ing. Andrea Vettori
> >> Consulente per l'Information Technology
> >>
> >>
> >>

> >>  
---------------------------------------------------------------------

> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
>
> --
> Ing. Andrea Vettori
> Consulente per l'Information Technology
>
>
>

>  
---------------------------------------------------------------------

> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


--
"Hey you! Would you help me to carry the stone?" Pink Floyd





--
"Hey you! Would you help me to carry the stone?" Pink Floyd


--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to