Dear Struts 2.x Development Team,
As part of our Master's Program course(M-Eng. Information System Security) project , we choose tried to analyse and find potential security issues in Struts 2.3.20 web applications (included as war files in the struts installation bundle) . Below are the unique list of vulnerabilities we found . Since software developers use these war files as a platform to build real world applications, the identified vulnerabilities would be present in the actual applications as well. Please analyse the vulnerabilities carefully . We hope that this exercise would help you to fix the vulnerabilities in a future release.
No Vulnerability Type File Name Line No Summary
1 Privacy Violation MailreaderSupport.java 374 The method findUser() in MailreaderSupport.java mishandles confidential information, which can compromise user privacy and is often illegal.Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal.
2 Denial of Service LongProcessAction.java 35 The call to sleep() at LongProcessAction.java line 35 allows an attacker to crash the program or otherwise make it unavailable to legitimate users.An attacker could cause the program to crash or otherwise become unavailable to legitimate users.
3 Hardcoded Password Constants.java 110 Hardcoded passwords can compromise system security in a way that cannot be easily remedied.
4 Password (Un encrypted )
in a config file alternate.properties 1 Storing a plaintext password in a configuration file may result in a system compromise.
5 Unreleased Resources ApplicationListener.java 219 The function calculatePath() in ApplicationListener.java sometimes fails to release a system resource allocated by getResourceAsStream() on line 219.The program can potentially fail to release a system resource.
Thanks and Regards