[jira] Commented: (WW-2264) A session value is overwrited by requesting.

Fri, 19 Oct 2007 01:27:00 -0700 

    [ 
https://issues.apache.org/struts/browse/WW-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42426
 ] 

Don Brown commented on WW-2264:
-------------------------------

Philip: agreed, but that is why I would not consider it a security hole.  The 
session remains untouched; only the action is affected as it gets a new map 
that it thinks is backed by the session.  If the action was really worried 
about security, it would implement the ParameterNameAware interface.  Anyways, 
I think the fix here is to add "session" to the list of parameters that aren't 
accepted by the ParametersInterceptor, even though this may mean breaking some 
existing applications.  I don't think it is enough to warrant a hurried 
security patch and downgrading of existing GA releases, but it should be 
backported to the 2.0.x branch and released with the next version.

> A session value is overwrited by requesting.
> --------------------------------------------
>
>                 Key: WW-2264
>                 URL: https://issues.apache.org/struts/browse/WW-2264
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Value Stack
>    Affects Versions: 2.0.9
>         Environment: I tested in struts2.0.9
>            Reporter: Hisato Killing
>            Priority: Critical
>         Attachments: s2inject.zip
>
>
> The attacker can inject the given value into session map by clicking 
> following URL. 
> http://example.com/SomeAction.action?session.somekey=someValue
> [[A session value is overwrited by demanding a browser. ]]
> FROM:  [EMAIL PROTECTED] 
> TO: struts-dev
> >>>> 
> 1.This problem is caused in struts 2.0.9 and others perhaps.
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAware.
> ii. And It is defined in struts-default.
> iii. devMode is true or false.
> ["someValue"] of the name of "someKey" enters in SessionMap when the
> request shown in that URL is processed.
> It is meant that ["someValue"]  is an array including "someValue".
> This causes ClassCastException in case of almost.
> [EMAIL PROTECTED]
> It is thought that this only has to be my mistake ,setting etc.
> Thanks

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to