Uploaded image for project: 'Struts 1'
  1. Struts 1
  2. STR-3206

classloader properties should not be tampered while populating ActionForm

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.10
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Environment:
      any
    • Flags:
      Patch, Important

      Description

      Current implentation in RequestUtils.populate(Object bean, String prefix, String suffix, HttpServletRequest request) allows an attacker to manipulate any settable classloader properties along the classloader hierachy. For example, an attacker can send such parameters, e.g. class.classLoader.delegateMode=true/false, to turn on/off the delegationMode of the classloader which can cause an DOS effect on the application. To prevent this from happening, any parameters with "class.classLoader" pattern should be excluded from the binding properties created in the current method.

        Attachments

        1. RequestUtils.java
          43 kB
          Xiaohong Zheng

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              zhengfmr Xiaohong Zheng
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified