You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2018/01/01 13:56:06 UTC

[jira] [Closed] (WW-4487) Struts 2.3.20 web applications - Potential vulnerabilities

     [ https://issues.apache.org/jira/browse/WW-4487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart closed WW-4487.
-----------------------------
    Resolution: Not A Problem

> Struts 2.3.20 web applications - Potential vulnerabilities 
> -----------------------------------------------------------
>
>                 Key: WW-4487
>                 URL: https://issues.apache.org/jira/browse/WW-4487
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Example Applications
>    Affects Versions: 2.3.20
>            Reporter: M.Eng Info Sec Concordia University
>            Priority: Trivial
>              Labels: Concordia, Info, M.Eng, Sec, University
>
> Dear Struts 2.x Development Team, 
> As part of our Master's Program course(M-Eng. Information System Security) project , we choose tried to analyse and find potential security issues in Struts 2.3.20 web applications (included as war files in the struts installation bundle) . Below are the unique list of vulnerabilities we found . Since software developers use these war files as a platform to build real world applications, the identified vulnerabilities would be present in the actual applications as well. Please analyse the vulnerabilities carefully . We hope that this exercise would help you to fix the vulnerabilities in a future release.
> Sl 
> No	Vulnerability Type	File Name 	Line No	Summary
> 1	Privacy Violation	MailreaderSupport.java 	374	The method findUser() in MailreaderSupport.java mishandles confidential information, which can compromise user privacy and is often illegal.Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal. 
> 2	Denial of Service	LongProcessAction.java 	35	The call to sleep() at LongProcessAction.java line 35 allows an attacker to crash the program or otherwise make it unavailable to legitimate users.An attacker could cause the program to crash or otherwise become unavailable to legitimate users.
> 3	Hardcoded Password	Constants.java 	110	Hardcoded passwords can compromise system security in a way that cannot be easily remedied.
> 4	Password (Un encrypted )
> in a config file	alternate.properties 	1	Storing a plaintext password in a configuration file may result in a system compromise.
> 5	Unreleased Resources	ApplicationListener.java	219	The function calculatePath() in ApplicationListener.java sometimes fails to release a system resource allocated by getResourceAsStream() on line 219.The program can potentially fail to release a system resource.
> Thanks and Regards



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)