|
»
Struts 2 performance
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
| < Prev | 1 - 2 - 3 - 4 | Next > |
 |
Re: Struts 2 performance
by Toni Lyytikäinen
::
Rate this Message:
I tried this too, and I can confirm that it does actually shut down the
server. The return value of the method that the property tag references is evaluated for some reason, which makes the application vulnerable to OGNL injection attacks... this is a huge security problem. On 7/16/07, Aram Mkhitaryan <aram.mkhitaryan@...> wrote: > > Maybe it's new just for me, but I found out one of the main reasons of the > problem > > try to submit "%{@java.lang.System@exit(0)}" in the viewable property > for example you submit a text, and it is displayed by s2's tags > > try and have fun ... > > this expression works and my server shuts down! > > the problem I mentioned is that when I say "print property" it executes it > at first ... > but it should not! I'm right, amn't I? > > why it executes the string value in my property? > (it's not just a problem, it's a security risk, the users can hack s2 > sites) > (at least who may read this message will know that he can hack s2 sites > and > the simplest way is given above) > > that's why even when you do not use ognl expressions, it still works and > it > costs ... > > Best, > Aram > ________________________________ > Aram Mkhitaryan > > 52, 25 Lvovyan, Yerevan 375000, Armenia > > Mobile: +374 91 518456 > E-mail: aram.mkhitaryan@... > |
|
|
|
|
|
Re: Struts 2 performance
by Aram Mkhitaryan
::
Rate this Message:
look here
http://struts.apache.org/2.0.8/docs/property.html http://struts.apache.org/2.0.8/docs/text.html http://struts.apache.org/2.0.8/docs/if.html and in pages of other tags there you can find a column "Evaluated" and everywhere it has value "true" I guess that means that values are being evaluated! It's terrible ... It's not only a bottleneck, but also a security risk! Maybe there is a configuration parameter to disable that evaluation? Does someone have ideas where to find such configuration possibility? Best, Aram ________________________________ Aram Mkhitaryan 52, 25 Lvovyan, Yerevan 375000, Armenia Mobile: +374 91 518456 E-mail: aram.mkhitaryan@... |
|
|
Re: Struts 2 performance
by Musachy Barroso
::
Rate this Message:
https://issues.apache.org/struts/browse/WW-2030
musachy On 7/16/07, Aram Mkhitaryan <aram.mkhitaryan@...> wrote: > > look here > http://struts.apache.org/2.0.8/docs/property.html > http://struts.apache.org/2.0.8/docs/text.html > http://struts.apache.org/2.0.8/docs/if.html > and in pages of other tags > > there you can find a column "Evaluated" > and everywhere it has value "true" > > I guess that means that values are being evaluated! > It's terrible ... > It's not only a bottleneck, but also a security risk! > > Maybe there is a configuration parameter to disable that evaluation? > > Does someone have ideas where to find such configuration possibility? > > Best, > Aram > ________________________________ > Aram Mkhitaryan > > 52, 25 Lvovyan, Yerevan 375000, Armenia > > Mobile: +374 91 518456 > E-mail: aram.mkhitaryan@... > -- "Hey you! Would you help me to carry the stone?" Pink Floyd |
|
|
RE: Struts 2 performance
by David Harland-3
::
Rate this Message:
You have either taken the server down that is running the showcase app
or someone's using the ognl feature to shut it down. I take it you will be doing a release once the fix has gone in? Thanks.. -----Original Message----- From: Musachy Barroso [mailto:musachy@...] Sent: 16 July 2007 14:19 To: Struts Users Mailing List Subject: Re: Struts 2 performance https://issues.apache.org/struts/browse/WW-2030 musachy On 7/16/07, Aram Mkhitaryan <aram.mkhitaryan@...> wrote: > > look here > http://struts.apache.org/2.0.8/docs/property.html > http://struts.apache.org/2.0.8/docs/text.html > http://struts.apache.org/2.0.8/docs/if.html > and in pages of other tags > > there you can find a column "Evaluated" > and everywhere it has value "true" > > I guess that means that values are being evaluated! > It's terrible ... > It's not only a bottleneck, but also a security risk! > > Maybe there is a configuration parameter to disable that evaluation? > > Does someone have ideas where to find such configuration possibility? > > Best, > Aram > ________________________________ > Aram Mkhitaryan > > 52, 25 Lvovyan, Yerevan 375000, Armenia > > Mobile: +374 91 518456 > E-mail: aram.mkhitaryan@... > -- "Hey you! Would you help me to carry the stone?" Pink Floyd - ------ ML {UFI} ______________________________________________________________________ Ufi Limited Registered in England No. 3980770 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP learndirect Solutions Ltd Registered in England No. 5081669 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP UFI Charitable Trust Registered in England No. 3658378 Registered Charity No. 1081028 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP This email has been scanned by the MessageLabs Email Security System. ______________________________________________________________________ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@... For additional commands, e-mail: user-help@... |
| < Prev | 1 - 2 - 3 - 4 | Next > |
| Free embeddable forum powered by Nabble | Forum Help |
