You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Hisato Killing (JIRA)" <ji...@apache.org> on 2007/10/18 07:08:39 UTC
[jira] Updated: (WW-2264) A session value is overwrited by
requesting.
[ https://issues.apache.org/struts/browse/WW-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hisato Killing updated WW-2264:
-------------------------------
Attachment: s2inject.zip
Here is a sample.
> A session value is overwrited by requesting.
> --------------------------------------------
>
> Key: WW-2264
> URL: https://issues.apache.org/struts/browse/WW-2264
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 2.0.9
> Environment: I tested in struts2.0.9
> Reporter: Hisato Killing
> Priority: Critical
> Attachments: s2inject.zip
>
>
> The attacker can inject the given value into session map by clicking following URL.
> http://example.com/SomeAction.action?session.somekey=someValue
> [[A session value is overwrited by demanding a browser. ]]
> FROM: hisato.killing@gmail.com
> TO: struts-dev
> >>>>
> 1.This problem is caused in struts 2.0.9 and others perhaps.
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAware.
> ii. And It is defined in struts-default.
> iii. devMode is true or false.
> ["someValue"] of the name of "someKey" enters in SessionMap when the
> request shown in that URL is processed.
> It is meant that ["someValue"] is an array including "someValue".
> This causes ClassCastException in case of almost.
> hisato.killing@gmail.com
> It is thought that this only has to be my mistake ,setting etc.
> Thanks
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.