DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649 DOS attack by making DispatchAction recurse on execute() Summary: DOS attack by making DispatchAction recurse on execute() Product: Struts Version: 1.1 Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Standard Actions AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] DispatchAction takes the value of a parameter and introspectively calles a method with the same name. DispatchAction does not check what method is being called. It is therefor possible (and very easy) to make it call the execute() method on any website that contains a DispatchAction by passing 'execute' as the value for this parameter. Execute will then continue to call itself recursively causing very high server load and a possible complete Denial Of Service. Since DispatchAction is a very widely used Struts component (and considered good practice) this leaves almost every site build with Struts vulnerable. I have tested for this behavior on Struts 1.1 final and believe al previous releases of DispatchAction to be vulnerable as well. Structural solution: Modify Jakarta DispatchAction to check what method name is given and throw an exception on an attempt to call eighter execute() or the deprecated but still working perform(). Quick fix for existing sites: Implement a base class that extands DispatchAction and checks for a call to eighter execute or perform. Then have all your actions that extend DispatchAction extend from this (safer) base class instead. Guido Schoonheim --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]