Bug#360551: libstruts1.2-java: Three security problems in Struts

Moritz Muehlenhoff jmm at debian.org
Mon Apr 3 07:44:59 UTC 2006 

Package: libstruts1.2-java
Severity: grave
Tags: security
Justification: user security hole

Struts 1.2.9 fixes three security problems:

======================================================
Name: CVE-2006-1546
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1546
Reference: MLIST:[struts-user] 20060121 Validation Security Hole?
Reference:
+URL:http://mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail@web32607.mail.mud.yahoo.com%+3e
Reference: MLIST:[struts-devel] 20060122 Re: Validation Security Hole?
Reference: URL:http://mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r$623$2@sea.gmane.org%3e
Reference: CONFIRM:http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Reference: CONFIRM:http://issues.apache.org/bugzilla/show_bug.cgi?id=38374

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote
attackers to bypass validation via a request with a
'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which
causes the action to be canceled but would not be detected from
applications that do not use the isCancelled check.


======================================================
Name: CVE-2006-1547
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1547
Reference: CONFIRM:http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Reference: CONFIRM:http://issues.apache.org/bugzilla/show_bug.cgi?id=38534

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9
with BeanUtils 1.7 allows remote attackers to cause a denial of
service via a multipart/form-data encoded form with a parameter name
that references the public getMultipartRequestHandler method, which
provides further access to elements in the
CommonsMultipartRequestHandler implementation and BeanUtils.


======================================================
Name: CVE-2006-1548
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1548
Reference: CONFIRM:http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Reference: CONFIRM:http://issues.apache.org/bugzilla/show_bug.cgi?id=38749

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction
and possibly (2) DispatchAction and (3) ActionDispatcher in Apache
Software Foundation (ASF) Struts before 1.2.9 allows remote attackers
to inject arbitrary web script or HTML via the parameter name, which
is not filtered in the resulting error message.


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)

More information about the pkg-java-maintainers mailing list