You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Krassen Deltchev <kr...@ruhr-uni-bochum.de> on 2013/11/20 04:33:48 UTC
security impact after enabling back the "action:" prefix in Struts
2.3.15.3
Dear Struts2 mailing list,
i have the following question(s)/ i need the following advice:
by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
http://struts.apache.org/release/2.3.x/docs/s2-018
for security reasons,
but i need to set it back to true(i.e. the
struts.mapper.action.prefix.enabled) because my actions do not work
after the library update and if i decide to go another way to solve this
issue, i need to do a lot of refactoring on my code;
So my question is:
if i enable the "action:" prefix, does it mean that, i automatically
compromise/expose my application to the security issues discussed in
s2-16, s2-17 and s2-18?
Is there a workaround for my scenario, that i can enable the prefix, but
still maintain the security level of my application considering the
enumerated above issues?(can i achieve better results if i tweak
properly the struts.mapper.action.prefix.crossNamespaces)
many thanks for your opinions and support!
Best,
krassen
--
Krassen Deltchev
M.Sc. Applied Computer Science, Ruhr-University of Bochum
LPIC I
http://www.xing.com/profile/Krassen_Deltchev
http://de.linkedin.com/pub/krassen-deltchev/22/632/12
http://www.slideshare.net/test2v
https://twitter.com/#!/test2v
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?
Posted by Lukasz Lenart <lu...@apache.org>.
2013/12/17 Miguel Almeida <mi...@almeida.at>:
> Great to hear that. BTW, you've been missed on IRC's #struts, drop by
> some time!
Too many communications channels ;-) When entire company will switch
to using IRC I'll be there all the time :-)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Is Struts 2.3.15.2 affected by the security vulnerability
S2-018?
Posted by Miguel Almeida <mi...@almeida.at>.
On Tue, 2013-12-17 at 11:40 +0100, Lukasz Lenart wrote:
> 2013/12/17 Miguel Almeida <mi...@almeida.at>:
> > Lukasz,
> >
> > Just to be sure, does that mean that if you use 2.3.15.3 and you set the
> > flag to enable the action: prefix it means you'll get the old behaviour
> > (and vulnerability) back?
>
> As I cannot answer your question directly on public forum, I will say
> that there is one more option you should keep false when you enabled
> support for action: prefix.
>
> Anyway, right now I'm working on two most important things: better DMI
> and action: support :-)
Great to hear that. BTW, you've been missed on IRC's #struts, drop by
some time!
>
>
> Regards
Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?
Posted by Lukasz Lenart <lu...@apache.org>.
2013/12/17 Miguel Almeida <mi...@almeida.at>:
> Lukasz,
>
> Just to be sure, does that mean that if you use 2.3.15.3 and you set the
> flag to enable the action: prefix it means you'll get the old behaviour
> (and vulnerability) back?
As I cannot answer your question directly on public forum, I will say
that there is one more option you should keep false when you enabled
support for action: prefix.
Anyway, right now I'm working on two most important things: better DMI
and action: support :-)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Is Struts 2.3.15.2 affected by the security vulnerability
S2-018?
Posted by Miguel Almeida <mi...@almeida.at>.
Lukasz,
Just to be sure, does that mean that if you use 2.3.15.3 and you set the
flag to enable the action: prefix it means you'll get the old behaviour
(and vulnerability) back?
Miguel
On Mon, 2013-12-16 at 08:27 +0100, Lukasz Lenart wrote:
> 2.3.15.2 and 2.3.15.3 address the same issue, but 2.3.15.2 breaks
> support for action: prefix, that's why we released 2.3.15.3 as well -
> even if you don't use action: prefix functionality it will be better
> upgrade to 2.3.15.3 and use the new flag to disable action: prefix
> which is safer option.
>
>
> Regards
Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?
Posted by Lukasz Lenart <lu...@apache.org>.
2.3.15.2 and 2.3.15.3 address the same issue, but 2.3.15.2 breaks
support for action: prefix, that's why we released 2.3.15.3 as well -
even if you don't use action: prefix functionality it will be better
upgrade to 2.3.15.3 and use the new flag to disable action: prefix
which is safer option.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/12/11 Markus Fischer <Ma...@knipp.de>:
> Dear group,
>
> I hope that you can help to clear up my confusion about the current
> status of Struts 2.3.15.2 with regards to the security vulnerability
> S2-018 (see [1]).
>
> So far, it was my understanding that S2-018 is fixed with the 2.3.15.2
> release. And the release notes still suggest that this is the case (see
> [2]). Also, in [3] the vulnerability is categorized as only affecting
> Struts versions up to 2.3.15.1.
>
> But now I found that S2-018 is listed as vulnerability affecting Struts
> 2.3.15.2 (see [4]). Also, the description of S2-018 currently states the
> following: "In Struts 2 before 2.3.15.3, under certain conditions this
> can be used to bypass security constraints."
>
> I am aware that there are backward compatibility issues with the action:
> prefix not working with Struts 2.3.15.2. However, some of the projects I
> am administrating (and which are running Struts 2.3.15.2) do not make
> use of that feature.
>
> My question is: do I need to update those systems in order not to be
> affected by a security vulnerability? Or is S2-018 merely listed as
> affecting Struts 2.3.15.2 because of the backward compatibility issue,
> but the security issue is fixed?
>
> Many tanks in advance,
> Markus
>
> [1] http://struts.apache.org/development/2.x/docs/s2-018.html
>
> [2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html
>
> [3] http://www.cvedetails.com/cve/CVE-2013-4310/
>
> [4] http://struts.apache.org/downloads.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Is Struts 2.3.15.2 affected by the security vulnerability S2-018?
Posted by Markus Fischer <Ma...@knipp.de>.
Dear group,
I hope that you can help to clear up my confusion about the current
status of Struts 2.3.15.2 with regards to the security vulnerability
S2-018 (see [1]).
So far, it was my understanding that S2-018 is fixed with the 2.3.15.2
release. And the release notes still suggest that this is the case (see
[2]). Also, in [3] the vulnerability is categorized as only affecting
Struts versions up to 2.3.15.1.
But now I found that S2-018 is listed as vulnerability affecting Struts
2.3.15.2 (see [4]). Also, the description of S2-018 currently states the
following: "In Struts 2 before 2.3.15.3, under certain conditions this
can be used to bypass security constraints."
I am aware that there are backward compatibility issues with the action:
prefix not working with Struts 2.3.15.2. However, some of the projects I
am administrating (and which are running Struts 2.3.15.2) do not make
use of that feature.
My question is: do I need to update those systems in order not to be
affected by a security vulnerability? Or is S2-018 merely listed as
affecting Struts 2.3.15.2 because of the backward compatibility issue,
but the security issue is fixed?
Many tanks in advance,
Markus
[1] http://struts.apache.org/development/2.x/docs/s2-018.html
[2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html
[3] http://www.cvedetails.com/cve/CVE-2013-4310/
[4] http://struts.apache.org/downloads.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security impact after enabling back the "action:" prefix in
Struts 2.3.15.3
Posted by semog12 <se...@gmail.com>.
Hi,
I have the same question. I have one form with two submit tags and if
setting the constant 'struts.mapper.action.prefix.enabled' can bring
security issues what is the possible solution?
Thanks,
André Gomes
--
View this message in context: http://struts.1045723.n5.nabble.com/security-impact-after-enabling-back-the-action-prefix-in-Struts-2-3-15-3-tp5714714p5714826.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security impact after enabling back the "action:" prefix in
Struts 2.3.15.3
Posted by Lukasz Lenart <lu...@apache.org>.
2013/11/26 Miguel Almeida <mi...@almeida.at>:
> Picking up on this topic, I noticed that disabling this feature will
> break any JSPs where you've set the action in the <s:submit> tag instead
> of the <s:form> tag.
>
> This is particularly problematic in situations where for some reason
> you have one form with two submit tags, since the submit is the only
> place where you can distinguish the actions.
>
> This can also be related with a similar situation in s2-019, where the
> disabling of the DMI makes the method="" parameter of the tags unusable.
>
> I've learnt that this will be better handled in a future version of
> struts, so my assumption is that the normal behaviour will return in
> both situations on a future non-security release - hopefully the next
> one! Maybe someone from the dev team can share their input with us?
As I have already mentioned in other topic - we are discussing this
issue on private@ list but I will move the discussion here to see your
inputs.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security impact after enabling back the "action:" prefix in Struts
2.3.15.3
Posted by Krassen Deltchev <kr...@ruhr-uni-bochum.de>.
Dear Miguel!
Thank you very much for your thoughts on the problem and your feedback!
Keep the good work up!
Al the best!
krassen
Am 26.11.13 10:19, schrieb Miguel Almeida:
> Picking up on this topic, I noticed that disabling this feature will
> break any JSPs where you've set the action in the <s:submit> tag instead
> of the <s:form> tag.
>
> This is particularly problematic in situations where for some reason
> you have one form with two submit tags, since the submit is the only
> place where you can distinguish the actions.
>
> This can also be related with a similar situation in s2-019, where the
> disabling of the DMI makes the method="" parameter of the tags unusable.
>
> I've learnt that this will be better handled in a future version of
> struts, so my assumption is that the normal behaviour will return in
> both situations on a future non-security release - hopefully the next
> one! Maybe someone from the dev team can share their input with us?
>
>
> Kind regards,
> Miguel Almeida
>
> On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote:
>
>> Dear Struts2 mailing list,
>>
>> i have the following question(s)/ i need the following advice:
>> by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
>> http://struts.apache.org/release/2.3.x/docs/s2-018
>> for security reasons,
>> but i need to set it back to true(i.e. the
>> struts.mapper.action.prefix.enabled) because my actions do not work
>> after the library update and if i decide to go another way to solve this
>> issue, i need to do a lot of refactoring on my code;
>> So my question is:
>> if i enable the "action:" prefix, does it mean that, i automatically
>> compromise/expose my application to the security issues discussed in
>> s2-16, s2-17 and s2-18?
>> Is there a workaround for my scenario, that i can enable the prefix, but
>> still maintain the security level of my application considering the
>> enumerated above issues?(can i achieve better results if i tweak
>> properly the struts.mapper.action.prefix.crossNamespaces)
>>
>> many thanks for your opinions and support!
>>
>> Best,
>>
>> krassen
>
>
>
--
Krassen Deltchev
M.Sc. Applied Computer Science, Ruhr-University of Bochum
LPIC I
http://www.xing.com/profile/Krassen_Deltchev
http://de.linkedin.com/pub/krassen-deltchev/22/632/12
http://www.slideshare.net/test2v
https://twitter.com/#!/test2v
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security impact after enabling back the "action:" prefix in
Struts 2.3.15.3
Posted by Miguel Almeida <mi...@almeida.at>.
Picking up on this topic, I noticed that disabling this feature will
break any JSPs where you've set the action in the <s:submit> tag instead
of the <s:form> tag.
This is particularly problematic in situations where for some reason
you have one form with two submit tags, since the submit is the only
place where you can distinguish the actions.
This can also be related with a similar situation in s2-019, where the
disabling of the DMI makes the method="" parameter of the tags unusable.
I've learnt that this will be better handled in a future version of
struts, so my assumption is that the normal behaviour will return in
both situations on a future non-security release - hopefully the next
one! Maybe someone from the dev team can share their input with us?
Kind regards,
Miguel Almeida
On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote:
> Dear Struts2 mailing list,
>
> i have the following question(s)/ i need the following advice:
> by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
> http://struts.apache.org/release/2.3.x/docs/s2-018
> for security reasons,
> but i need to set it back to true(i.e. the
> struts.mapper.action.prefix.enabled) because my actions do not work
> after the library update and if i decide to go another way to solve this
> issue, i need to do a lot of refactoring on my code;
> So my question is:
> if i enable the "action:" prefix, does it mean that, i automatically
> compromise/expose my application to the security issues discussed in
> s2-16, s2-17 and s2-18?
> Is there a workaround for my scenario, that i can enable the prefix, but
> still maintain the security level of my application considering the
> enumerated above issues?(can i achieve better results if i tweak
> properly the struts.mapper.action.prefix.crossNamespaces)
>
> many thanks for your opinions and support!
>
> Best,
>
> krassen