Issue Details (XML | Word | Printable)

Key: WW-2030
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Rainer Hermanns
Reporter: Andrea Vettori
Votes: 6
Watchers: 14
Operations

If you were logged in you would be able to see more operations.
Struts 2

User input is evaluated as an OGNL expression

Created: 05/Jul/07 10:36 AM   Updated: 13/Aug/07 07:50 AM
Return to search
Component/s: Value Stack
Affects Version/s: 2.0.8
Fix Version/s: 2.0.9

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works no-recursion-in-text-parse.diff 2007-07-16 01:33 PM Don Brown 5 kB
File Struts.diff 2007-07-05 05:57 PM Musachy Barroso 0.6 kB
File Licensed for inclusion in ASF works Struts2.diff 2007-07-05 06:40 PM Musachy Barroso 2 kB
Text File Licensed for inclusion in ASF works translateVariable.txt 2007-07-06 02:55 PM Andrea Vettori 3 kB
Text File translateVariable2.txt 2007-07-06 02:58 PM Andrea Vettori 3 kB
File Licensed for inclusion in ASF works xwork.diff 2007-07-05 05:58 PM Musachy Barroso 3 kB
File Licensed for inclusion in ASF works xwork2.diff 2007-07-05 06:40 PM Musachy Barroso 4 kB
Issue Links:
Reference
 

Flags: Important


 Description  « Hide
All user input, for example entered through a form, is evaluated as an OGNL expression.
This leads to a remote exploit of possible malicious code execution of any kind, such as server shutdown or information theft.

Moreover, it can lead to a DoS problem:
On a form with:
<s:textfield name="xxx">
if the user enters %{xxx} as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Andrea Vettori made changes - 05/Jul/07 10:39 AM
Field Original Value New Value
Description On a form with

<s:textfield name="xxx">

if the user enters %{xxx} as a value com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters and infinite loop eating about 1GB of ram in one second on my server.

 On a form with

<s:textfield name="xxx">

if the user enters %{xxx} as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.
Musachy Barroso made changes - 05/Jul/07 05:57 PM
Attachment Struts.diff [ 13517 ]
Musachy Barroso made changes - 05/Jul/07 05:58 PM
Attachment xwork.diff [ 13518 ]
Musachy Barroso made changes - 05/Jul/07 06:40 PM
Attachment Struts2.diff [ 13519 ]
Musachy Barroso made changes - 05/Jul/07 06:40 PM
Attachment xwork2.diff [ 13520 ]
Andrea Vettori made changes - 06/Jul/07 02:55 PM
Attachment translateVariable.txt [ 13521 ]
Andrea Vettori made changes - 06/Jul/07 02:58 PM
Attachment translateVariable2.txt [ 13522 ]
Antonio Petrelli made changes - 16/Jul/07 08:51 AM
Description On a form with

<s:textfield name="xxx">

if the user enters %{xxx} as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.

 All user input, for example entered through a form, is evaluated as an OGNL expression.
This leads to a remote exploit of possible malicious code execution of any kind, such as server shutdown or information theft.

Moreover, it can lead to a DoS problem:
On a form with:
<s:textfield name="xxx">
if the user enters %{xxx} as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.
Summary DOS (continuos memory eating on an infinte loop) on form fields User input is evaluated as an OGNL expression
Don Brown made changes - 16/Jul/07 01:33 PM
Attachment no-recursion-in-text-parse.diff [ 13532 ]
Rainer Hermanns made changes - 19/Jul/07 08:29 PM
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 2.0.9 [ 21832 ]
Assignee Rainer Hermanns [ rainerh ]
Resolution Fixed [ 1 ]
Jeff Turner made changes - 09/Aug/07 07:16 AM
Workflow Struts [ 41527 ] Struts - editable closed status [ 41990 ]
Don Brown made changes - 13/Aug/07 07:50 AM
Link This issue is related to WW-2107 [ WW-2107 ]
Antonio Petrelli made changes - 08/Jan/09 08:57 AM
Workflow Struts - editable closed status [ 41990 ] Struts - editable closed status (temporary) [ 46762 ]
Antonio Petrelli made changes - 08/Jan/09 09:05 AM
Workflow Struts - editable closed status (temporary) [ 46762 ] Struts - editable closed status [ 50022 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation - Struts. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators