Struts 2
  1. Struts 2
  2. WW-3631

Implementing SessionAware allows session tampering

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.1.8.1
    • Fix Version/s: 2.3.3
    • Component/s: Value Stack
    • Labels:
    • Environment:

      Tested using Glassfish v3.

      Description

      This was previously raised as an issue under WW-2264. After the discussion it was determined that this is not a bug - I disagree and would like to raise the issue again.

      If an Action implements SessionAware the contents of the session are modifiable, this includes the public setters on objects stored in the session.

      Ok, for the Action to be able to modify the contents of the session it must also implement a "public Map getSession()". However, even if the Action does not implement a getSession method it is still possible for an attacker to tamper with the contents of the HttpSession and affect the processesing of the Action.

      I agree with the solutions previously discussed in WW-2264 that 'session' should be added to the parameter exclusion list in the struts-default.xml. Additionally, a warning should be added to the JavaDoc for SessionAware indicating the possible issue with exposing the session via the interface and that if the configuration of the intercepters does not explicitly exclude 'session' in the paramExclude node that it is possible for a requester to modify the session.

      1. Struts2Test.zip
        3.10 MB
        Jeremy Long

        Activity

        Lukasz Lenart made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Lukasz Lenart made changes -
        Fix Version/s 2.3.3 [ 12320642 ]
        Fix Version/s 2.3.2 [ 12319199 ]
        Lukasz Lenart made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Lukasz Lenart made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Lukasz Lenart made changes -
        Assignee Lukasz Lenart [ lukaszlenart ]
        Lukasz Lenart made changes -
        Fix Version/s 2.3.2 [ 12319199 ]
        Fix Version/s 2.5 [ 12319158 ]
        Lukasz Lenart made changes -
        Fix Version/s 3.x [ 12319158 ]
        Jeremy Long made changes -
        Field Original Value New Value
        Attachment Struts2Test.zip [ 12479640 ]
        Jeremy Long created issue -

          People

          • Assignee:
            Lukasz Lenart
            Reporter:
            Jeremy Long
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development