You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by bu...@apache.org on 2003/12/19 12:28:34 UTC

DO NOT REPLY [Bug 25649] New: - DOS attack by making DispatchAction recurse on execute()

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649

DOS attack by making DispatchAction recurse on execute()

           Summary: DOS attack by making DispatchAction recurse on execute()
           Product: Struts
           Version: 1.1 Final
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Standard Actions
        AssignedTo: struts-dev@jakarta.apache.org
        ReportedBy: apache@flexweb.org


DispatchAction takes the value of a parameter and introspectively calles a
method with the same name. DispatchAction does not check what method is being
called. 

It is therefor possible (and very easy) to make it call the execute() method on
any website that contains a DispatchAction by passing 'execute' as the value for
this parameter. Execute will then continue to call itself recursively causing
very high server load and a possible complete Denial Of Service.

Since DispatchAction is a very widely used Struts component (and considered good
practice) this leaves almost every site build with Struts vulnerable. I have
tested for this behavior on Struts 1.1 final and believe al previous releases of
DispatchAction to be vulnerable as well.

Structural solution:
Modify Jakarta DispatchAction to check what method name is given and throw an
exception on an attempt to call eighter execute() or the deprecated but still
working perform().

Quick fix for existing sites:
Implement a base class that extands DispatchAction and checks for a call to
eighter execute or perform. Then have all your actions that extend
DispatchAction extend from this (safer) base class instead.

Guido Schoonheim

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org