23,407
社区成员
发帖
与我相关
我的任务
分享是不是Struts的漏洞?对Struts比较熟的朋友请看过来。。。
下面是Struts-example中的一段程序,EditRegistrationAction 继承于 Action,用于处理来自editRegistration.do的请求。从代码看,如果访问:
http://localhost:8080/struts-example/editRegistation.do?action=Create
程序会首先在session中获取User Bean,如果为空,将会转向logon。但我试验后,在未登录的情况下访问上面的链接,可以顺利得到进入注册界面,并且,可以存储新的注册信息,这样看似乎绕过了用户验证?!
是不是Struts的漏洞?
package org.apache.struts.webapp.example;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.Locale;
import java.util.Vector;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionServlet;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.PropertyUtils;
/**
* @author Craig R. McClanahan
* @version $Revision: 1.2 $ $Date: 2001/04/14 12:53:07 $
*/
public final class EditRegistrationAction extends Action {
public ActionForward perform(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
// Extract attributes we will need
Locale locale = getLocale(request);
MessageResources messages = getResources();
HttpSession session = request.getSession();
String action = request.getParameter("action");
if (action == null)
action = "Create";
if (servlet.getDebug() >= 1)
servlet.log("EditRegistrationAction: Processing " + action +
" action");
// Is there a currently logged on user?
User user = null;
if (!"Create".equals(action)) {
user = (User) session.getAttribute(Constants.USER_KEY);
if (user == null) {
if (servlet.getDebug() >= 1)
servlet.log(" User is not logged on in session "
+ session.getId());
return (servlet.findForward("logon"));
}
}
// Populate the user registration form
if (form == null) {
if (servlet.getDebug() >= 1)
servlet.log(" Creating new RegistrationForm bean under key "
+ mapping.getAttribute());
form = new RegistrationForm();
if ("request".equals(mapping.getScope()))
request.setAttribute(mapping.getAttribute(), form);
else
session.setAttribute(mapping.getAttribute(), form);
}
RegistrationForm regform = (RegistrationForm) form;
if (user != null) {
if (servlet.getDebug() >= 1)
servlet.log(" Populating form from " + user);
try {
PropertyUtils.copyProperties(regform, user);
regform.setAction(action);
regform.setPassword(null);
regform.setPassword2(null);
} catch (InvocationTargetException e) {
Throwable t = e.getTargetException();
if (t == null)
t = e;
servlet.log("RegistrationForm.populate", t);
throw new ServletException("RegistrationForm.populate", t);
} catch (Throwable t) {
servlet.log("RegistrationForm.populate", t);
throw new ServletException("RegistrationForm.populate", t);
}
}
// Set a transactional control token to prevent double posting
if (servlet.getDebug() >= 1)
servlet.log(" Setting transactional control token");
saveToken(request);
// Forward control to the edit user registration page
if (servlet.getDebug() >= 1)
servlet.log(" Forwarding to 'success' page");
return (mapping.findForward("success"));
}
}
http://localhost:8080/struts-example/editRegistation.do?action=Create
程序会首先在session中获取User Bean,如果为空,将会转向logon。但我试验后,在未登录的情况下访问上面的链接,可以顺利得到进入注册界面,并且,可以存储新的注册信息,这样看似乎绕过了用户验证?!
是不是Struts的漏洞?
package org.apache.struts.webapp.example;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.Locale;
import java.util.Vector;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionServlet;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.PropertyUtils;
/**
* @author Craig R. McClanahan
* @version $Revision: 1.2 $ $Date: 2001/04/14 12:53:07 $
*/
public final class EditRegistrationAction extends Action {
public ActionForward perform(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
// Extract attributes we will need
Locale locale = getLocale(request);
MessageResources messages = getResources();
HttpSession session = request.getSession();
String action = request.getParameter("action");
if (action == null)
action = "Create";
if (servlet.getDebug() >= 1)
servlet.log("EditRegistrationAction: Processing " + action +
" action");
// Is there a currently logged on user?
User user = null;
if (!"Create".equals(action)) {
user = (User) session.getAttribute(Constants.USER_KEY);
if (user == null) {
if (servlet.getDebug() >= 1)
servlet.log(" User is not logged on in session "
+ session.getId());
return (servlet.findForward("logon"));
}
}
// Populate the user registration form
if (form == null) {
if (servlet.getDebug() >= 1)
servlet.log(" Creating new RegistrationForm bean under key "
+ mapping.getAttribute());
form = new RegistrationForm();
if ("request".equals(mapping.getScope()))
request.setAttribute(mapping.getAttribute(), form);
else
session.setAttribute(mapping.getAttribute(), form);
}
RegistrationForm regform = (RegistrationForm) form;
if (user != null) {
if (servlet.getDebug() >= 1)
servlet.log(" Populating form from " + user);
try {
PropertyUtils.copyProperties(regform, user);
regform.setAction(action);
regform.setPassword(null);
regform.setPassword2(null);
} catch (InvocationTargetException e) {
Throwable t = e.getTargetException();
if (t == null)
t = e;
servlet.log("RegistrationForm.populate", t);
throw new ServletException("RegistrationForm.populate", t);
} catch (Throwable t) {
servlet.log("RegistrationForm.populate", t);
throw new ServletException("RegistrationForm.populate", t);
}
}
// Set a transactional control token to prevent double posting
if (servlet.getDebug() >= 1)
servlet.log(" Setting transactional control token");
saveToken(request);
// Forward control to the edit user registration page
if (servlet.getDebug() >= 1)
servlet.log(" Forwarding to 'success' page");
return (mapping.findForward("success"));
}
}
...全文
请发表友善的回复…
发表回复
aprim 2002-03-18
- 打赏
- 举报
jambeauy@hotmail.com
llkh 2002-03-18
- 打赏
- 举报
在tomcat4中可用程序过滤掉未验证的访问
Hikaru 2002-03-18
- 打赏
- 举报
topgunxy@hotmail.com
ibm 2002-03-18
- 打赏
- 举报
ibeaman@263.net
yadang 2002-03-16
- 打赏
- 举报
kitty79630@21cn.com
nicezk 2002-03-16
- 打赏
- 举报
强烈推荐大家加入“Struts 研究”小组:
http://www.smiling.com.cn/search/groupinfo.ecgi?group_id=32529
对Struts有兴趣的朋友请留下E-mail,留者有分。我的E-mail是:nicezk@163.net 欢迎交流!
nicezk 2002-03-16
- 打赏
- 举报
谢谢ThisFellow!
问题已解决,我看掉了下面的“!”了,程序对“非”Create的请求才去较检用户,不好意思。
if (!"Create".equals(action)) {
问题已解决,我看掉了下面的“!”了,程序对“非”Create的请求才去较检用户,不好意思。
if (!"Create".equals(action)) {
ThisFellow 2002-03-16
- 打赏
- 举报
是的,这不过是一个sample.
建议在每个perform的开头处都检查session中的login info,在JSP中禁止直接对数据库的访问,只允许访问model中的信息。
建议在每个perform的开头处都检查session中的login info,在JSP中禁止直接对数据库的访问,只允许访问model中的信息。
