Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-2264

A session value is overwrited by requesting.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Not A Problem
    • Affects Version/s: 2.0.9
    • Fix Version/s: 2.0.9
    • Component/s: Value Stack
    • Labels:
      None
    • Environment:

      I tested in struts2.0.9

      Description

      The attacker can inject the given value into session map by clicking following URL.

      http://example.com/SomeAction.action?session.somekey=someValue

      [[A session value is overwrited by demanding a browser. ]]
      FROM: hisato.killing@gmail.com
      TO: struts-dev
      >>>>
      1.This problem is caused in struts 2.0.9 and others perhaps.

      In that case, it is assumed that it is as follows.
      i. SomeAction is implements SessionAware.
      ii. And It is defined in struts-default.
      iii. devMode is true or false.

      ["someValue"] of the name of "someKey" enters in SessionMap when the
      request shown in that URL is processed.
      It is meant that ["someValue"] is an array including "someValue".
      This causes ClassCastException in case of almost.

      hisato.killing@gmail.com
      It is thought that this only has to be my mistake ,setting etc.

      Thanks

        Attachments

        1. s2inject.zip
          6 kB
          Hisato Killing

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hisato.killing Hisato Killing
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: