Issue Details (XML | Word | Printable)

Key: WW-2030
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Rainer Hermanns
Reporter: Andrea Vettori
Votes: 6
Watchers: 14
Operations

If you were logged in you would be able to see more operations.
Struts 2

User input is evaluated as an OGNL expression

Created: 05/Jul/07 10:36 AM   Updated: 13/Aug/07 07:50 AM
Return to search
Component/s: Value Stack
Affects Version/s: 2.0.8
Fix Version/s: 2.0.9

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works no-recursion-in-text-parse.diff 2007-07-16 01:33 PM Don Brown 5 kB
File Struts.diff 2007-07-05 05:57 PM Musachy Barroso 0.6 kB
File Licensed for inclusion in ASF works Struts2.diff 2007-07-05 06:40 PM Musachy Barroso 2 kB
Text File Licensed for inclusion in ASF works translateVariable.txt 2007-07-06 02:55 PM Andrea Vettori 3 kB
Text File translateVariable2.txt 2007-07-06 02:58 PM Andrea Vettori 3 kB
File Licensed for inclusion in ASF works xwork.diff 2007-07-05 05:58 PM Musachy Barroso 3 kB
File Licensed for inclusion in ASF works xwork2.diff 2007-07-05 06:40 PM Musachy Barroso 4 kB
Issue Links:
Reference
 

Flags: Important


 Description  « Hide
All user input, for example entered through a form, is evaluated as an OGNL expression.
This leads to a remote exploit of possible malicious code execution of any kind, such as server shutdown or information theft.

Moreover, it can lead to a DoS problem:
On a form with:
<s:textfield name="xxx">
if the user enters %{xxx} as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
Struts #556624 Mon Jul 16 13:35:09 UTC 2007 mrdon Adding tests to ensure recursive value attribute processing has been disabled
WW-2030
Files Changed
MODIFY /struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/jsp/ui/TextfieldTest.java
ADD /struts/struts2/trunk/core/src/test/resources/org/apache/struts2/views/jsp/ui/Textfield-5.txt
ADD /struts/struts2/trunk/core/src/test/resources/org/apache/struts2/views/jsp/ui/Textfield-6.txt

Repository Revision Date User Message
Struts #557701 Thu Jul 19 17:31:26 UTC 2007 hermanns Updating to xwork 2.0.4 release
o xwork 2.0.4 contains the fix for the critical security issue
  (see https://issues.apache.org/struts/browse/WW-2030 for details)

Note: The xwork group id changed from 'opensymphony' to 'com.opensymphony'

Issue Number: WW-2030
Files Changed
MODIFY /struts/struts2/branches/STRUTS_2_0_X/core/pom.xml
MODIFY /struts/struts2/branches/STRUTS_2_0_X/backport/translate.bat
MODIFY /struts/struts2/branches/STRUTS_2_0_X/assembly/pom.xml
MODIFY /struts/struts2/branches/STRUTS_2_0_X/backport/translate.sh


Powered by a free Atlassian JIRA open source license for Apache Software Foundation - Struts. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators