DO NOT REPLY [Bug 4997] New: - ActionForm exposes the ActionServlet, which has String properties that can be changed via a HTTP request.

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4997>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4997

ActionForm exposes the ActionServlet, which has String properties that can be changed via a HTTP request.

           Summary: ActionForm exposes the ActionServlet, which has String
                    properties that can be changed via a HTTP request.
           Product: Struts
           Version: 1.0 Final
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Controller
        AssignedTo: struts-dev@jakarta.apache.org
        ReportedBy: husted@apache.org


When the dotted syntax was added to the autopopulation mechanism, it has the 
side affect of exposing all public String properties on the nested object to 
HTTP. Any of these can then be changed by any user via a HTTP query string. The 
ActionServlet is exposed by the Struts ActionForm, so the temporary folder and 
upload buffer size properties could be altered, creating a Denial of Service 
situation. The proposed fix is to 
enclose the ActionServlet property in a wrapper which safely exposes 
only the properties needed by the framework, and cannot be exploited. See 
annexed for a complete discussion. Ted Husted is to apply a patch. Many thanks 
to Dmitri Plotnikov who first reported this exploit.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>