You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2001/11/21 14:22:41 UTC
DO NOT REPLY [Bug 4997] New: -
ActionForm exposes the ActionServlet, which has String properties that can be changed via a HTTP request.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4997>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4997
ActionForm exposes the ActionServlet, which has String properties that can be changed via a HTTP request.
Summary: ActionForm exposes the ActionServlet, which has String
properties that can be changed via a HTTP request.
Product: Struts
Version: 1.0 Final
Platform: All
OS/Version: Other
Status: NEW
Severity: Major
Priority: Other
Component: Controller
AssignedTo: struts-dev@jakarta.apache.org
ReportedBy: husted@apache.org
When the dotted syntax was added to the autopopulation mechanism, it has the
side affect of exposing all public String properties on the nested object to
HTTP. Any of these can then be changed by any user via a HTTP query string. The
ActionServlet is exposed by the Struts ActionForm, so the temporary folder and
upload buffer size properties could be altered, creating a Denial of Service
situation. The proposed fix is to
enclose the ActionServlet property in a wrapper which safely exposes
only the properties needed by the framework, and cannot be exploited. See
annexed for a complete discussion. Ted Husted is to apply a patch. Many thanks
to Dmitri Plotnikov who first reported this exploit.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>