You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by "David Evans (JIRA)" <ji...@apache.org> on 2006/04/24 22:46:12 UTC

[jira] Closed: (STR-1890) DOS attack by making DispatchAction recurse on execute()

     [ http://issues.apache.org/struts/browse/STR-1890?page=all ]
     
David Evans closed STR-1890:
----------------------------

    Resolution: Fixed

> DOS attack by making DispatchAction recurse on execute()
> --------------------------------------------------------
>
>          Key: STR-1890
>          URL: http://issues.apache.org/struts/browse/STR-1890
>      Project: Struts Action 1
>         Type: Bug

>   Components: Extras
>     Versions: 1.1 Final
>  Environment: Operating System: other
> Platform: Other
>     Reporter: Guido Schoonheim
>     Assignee: David Evans
>      Fix For: 1.2 Family
>  Attachments: DispatchAction.java
>
> DispatchAction takes the value of a parameter and introspectively calles a
> method with the same name. DispatchAction does not check what method is being
> called. 
> It is therefor possible (and very easy) to make it call the execute() method on
> any website that contains a DispatchAction by passing 'execute' as the value for
> this parameter. Execute will then continue to call itself recursively causing
> very high server load and a possible complete Denial Of Service.
> Since DispatchAction is a very widely used Struts component (and considered good
> practice) this leaves almost every site build with Struts vulnerable. I have
> tested for this behavior on Struts 1.1 final and believe al previous releases of
> DispatchAction to be vulnerable as well.
> Structural solution:
> Modify Jakarta DispatchAction to check what method name is given and throw an
> exception on an attempt to call eighter execute() or the deprecated but still
> working perform().
> Quick fix for existing sites:
> Implement a base class that extands DispatchAction and checks for a call to
> eighter execute or perform. Then have all your actions that extend
> DispatchAction extend from this (safer) base class instead.
> Guido Schoonheim

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org