[jira] Reopened: (STR-1890) DOS attack by making DispatchAction recurse on execute()

Mon, 24 Apr 2006 13:47:27 -0700 

     [ http://issues.apache.org/struts/browse/STR-1890?page=all ]
     
David Evans reopened STR-1890:
------------------------------

    Assign To: David Evans  (was: Struts Developer Mailing List)

> DOS attack by making DispatchAction recurse on execute()
> --------------------------------------------------------
>
>          Key: STR-1890
>          URL: http://issues.apache.org/struts/browse/STR-1890
>      Project: Struts Action 1
>         Type: Bug

>   Components: Extras
>     Versions: 1.1 Final
>  Environment: Operating System: other
> Platform: Other
>     Reporter: Guido Schoonheim
>     Assignee: David Evans
>      Fix For: 1.2 Family
>  Attachments: DispatchAction.java
>
> DispatchAction takes the value of a parameter and introspectively calles a
> method with the same name. DispatchAction does not check what method is being
> called. 
> It is therefor possible (and very easy) to make it call the execute() method 
> on
> any website that contains a DispatchAction by passing 'execute' as the value 
> for
> this parameter. Execute will then continue to call itself recursively causing
> very high server load and a possible complete Denial Of Service.
> Since DispatchAction is a very widely used Struts component (and considered 
> good
> practice) this leaves almost every site build with Struts vulnerable. I have
> tested for this behavior on Struts 1.1 final and believe al previous releases 
> of
> DispatchAction to be vulnerable as well.
> Structural solution:
> Modify Jakarta DispatchAction to check what method name is given and throw an
> exception on an attempt to call eighter execute() or the deprecated but still
> working perform().
> Quick fix for existing sites:
> Implement a base class that extands DispatchAction and checks for a call to
> eighter execute or perform. Then have all your actions that extend
> DispatchAction extend from this (safer) base class instead.
> Guido Schoonheim

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to