You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2003/12/19 12:28:34 UTC
DO NOT REPLY [Bug 25649] New: -
DOS attack by making DispatchAction recurse on execute()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649
DOS attack by making DispatchAction recurse on execute()
Summary: DOS attack by making DispatchAction recurse on execute()
Product: Struts
Version: 1.1 Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: Standard Actions
AssignedTo: struts-dev@jakarta.apache.org
ReportedBy: apache@flexweb.org
DispatchAction takes the value of a parameter and introspectively calles a
method with the same name. DispatchAction does not check what method is being
called.
It is therefor possible (and very easy) to make it call the execute() method on
any website that contains a DispatchAction by passing 'execute' as the value for
this parameter. Execute will then continue to call itself recursively causing
very high server load and a possible complete Denial Of Service.
Since DispatchAction is a very widely used Struts component (and considered good
practice) this leaves almost every site build with Struts vulnerable. I have
tested for this behavior on Struts 1.1 final and believe al previous releases of
DispatchAction to be vulnerable as well.
Structural solution:
Modify Jakarta DispatchAction to check what method name is given and throw an
exception on an attempt to call eighter execute() or the deprecated but still
working perform().
Quick fix for existing sites:
Implement a base class that extands DispatchAction and checks for a call to
eighter execute or perform. Then have all your actions that extend
DispatchAction extend from this (safer) base class instead.
Guido Schoonheim
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org