You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by "David Evans (JIRA)" <ji...@apache.org> on 2006/04/24 22:46:12 UTC
[jira] Closed: (STR-1890) DOS attack by making DispatchAction
recurse on execute()
[ http://issues.apache.org/struts/browse/STR-1890?page=all ]
David Evans closed STR-1890:
----------------------------
Resolution: Fixed
> DOS attack by making DispatchAction recurse on execute()
> --------------------------------------------------------
>
> Key: STR-1890
> URL: http://issues.apache.org/struts/browse/STR-1890
> Project: Struts Action 1
> Type: Bug
> Components: Extras
> Versions: 1.1 Final
> Environment: Operating System: other
> Platform: Other
> Reporter: Guido Schoonheim
> Assignee: David Evans
> Fix For: 1.2 Family
> Attachments: DispatchAction.java
>
> DispatchAction takes the value of a parameter and introspectively calles a
> method with the same name. DispatchAction does not check what method is being
> called.
> It is therefor possible (and very easy) to make it call the execute() method on
> any website that contains a DispatchAction by passing 'execute' as the value for
> this parameter. Execute will then continue to call itself recursively causing
> very high server load and a possible complete Denial Of Service.
> Since DispatchAction is a very widely used Struts component (and considered good
> practice) this leaves almost every site build with Struts vulnerable. I have
> tested for this behavior on Struts 1.1 final and believe al previous releases of
> DispatchAction to be vulnerable as well.
> Structural solution:
> Modify Jakarta DispatchAction to check what method name is given and throw an
> exception on an attempt to call eighter execute() or the deprecated but still
> working perform().
> Quick fix for existing sites:
> Implement a base class that extands DispatchAction and checks for a call to
> eighter execute or perform. Then have all your actions that extend
> DispatchAction extend from this (safer) base class instead.
> Guido Schoonheim
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org